diff --git a/hosts/astyanax/configuration.nix b/hosts/astyanax/configuration.nix
index 5c2ef27..667b0c2 100644
--- a/hosts/astyanax/configuration.nix
+++ b/hosts/astyanax/configuration.nix
@@ -46,7 +46,6 @@
   };
 
   networking.hostId = "80eef97e";
-  networking.firewall.allowedTCPPorts = [ 22 ];
   services.openssh = {
     enable = true;
     harden = true;
diff --git a/hosts/vm/configuration.nix b/hosts/vm/configuration.nix
index 2e433d2..eeacc59 100644
--- a/hosts/vm/configuration.nix
+++ b/hosts/vm/configuration.nix
@@ -66,7 +66,6 @@
   services.qemuGuest.enable = true;
   services.spice-vdagentd.enable = true;
 
-  networking.firewall.allowedTCPPorts = [ 22 ];
   services.openssh = {
     enable = true;
     harden = true;
diff --git a/modules/ssh/hardened-openssh.nix b/modules/ssh/hardened-openssh.nix
index 3d750a9..e67b733 100644
--- a/modules/ssh/hardened-openssh.nix
+++ b/modules/ssh/hardened-openssh.nix
@@ -5,15 +5,18 @@ let
 in
 {
   options.services.openssh.harden = mkEnableOption "harden ssh server configuration";
-  config.services.openssh.settings = optionalAttrs cfg.harden {
-    PermitRootLogin = "no";
-    PasswordAuthentication = false;
-    ChallengeResponseAuthentication = false;
-    X11Forwarding = false;
-    AllowAgentForwarding = false;
-    AllowTcpForwarding = false;
-    PermitTunnel = false;
-    MaxAuthTries = 3;
-    LoginGraceTime = "1m";
+  config = {
+    networking.firewall.allowedTCPPorts = [ 22 ];
+    services.openssh.settings = optionalAttrs cfg.harden {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      ChallengeResponseAuthentication = false;
+      X11Forwarding = false;
+      AllowAgentForwarding = false;
+      AllowTcpForwarding = false;
+      PermitTunnel = false;
+      MaxAuthTries = 3;
+      LoginGraceTime = "1m";
+    };
   };
 }