diff --git a/nix.nix b/nix.nix
index 4fab5ea..09cc7a5 100644
--- a/nix.nix
+++ b/nix.nix
@@ -19,12 +19,6 @@
   networking = {
     firewall = {
       enable = true;
-      allowedTCPPorts = [
-        22
-        80
-        443
-        2222
-      ];
     };
   };
 
diff --git a/ssh.nix b/ssh.nix
index ccd29c1..fdf765b 100644
--- a/ssh.nix
+++ b/ssh.nix
@@ -6,6 +6,8 @@
     openssh.authorizedKeys.keyFiles = [ /root/.ssh/kamov.pub ];
   };
 
+  networking.firewall.allowedTCPPorts = [ 22 2222 ];
+
   services = {
     endlessh = {
       enable = true;
diff --git a/web.nix b/web.nix
index 8340637..adfb696 100644
--- a/web.nix
+++ b/web.nix
@@ -14,6 +14,8 @@
     defaults.email = "maciej@kamoshi.org";
   };
 
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
   services = {
     nginx = {
       enable = true;