diff --git a/capytal/cloudflare.nix b/capytal/cloudflare.nix
deleted file mode 100644
index e9640d6..0000000
--- a/capytal/cloudflare.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{config, ...}: let
-  secrets = config.spacestation-secrets.lesser;
-in {
-  imports = [];
-
-  virtualisation.oci-containers.containers.cloudflare-funnel = {
-    image = "cloudflare/cloudflared:latest";
-    autoStart = true;
-    extraOptions = [
-      "--network=host"
-    ];
-    cmd = [
-      "tunnel"
-      "--no-autoupdate"
-      "run"
-      "--token"
-      secrets.capytal.cloudflare-funnel
-    ];
-    environment = {};
-  };
-}
diff --git a/capytal/default.nix b/capytal/default.nix
index ebc6d67..30a3a3a 100644
--- a/capytal/default.nix
+++ b/capytal/default.nix
@@ -1,8 +1,9 @@
 {inputs, ...}: {
   imports = [
-    ./caddy.nix
     ./cloudflare.nix
+    ./network.nix
     ./websites.nix
+
     ./forgejo
     ./garage.nix
     ./sqld.nix
diff --git a/capytal/network.nix b/capytal/network.nix
index 8adab92..c73011e 100644
--- a/capytal/network.nix
+++ b/capytal/network.nix
@@ -17,4 +17,26 @@
       '';
     };
   };
+  virtualisation.oci-containers.containers.cloudflare-funnel = let
+    secrets = config.spacestation-secrets.lesser;
+  in {
+    image = "cloudflare/cloudflared:latest";
+    autoStart = true;
+    extraOptions = [
+      "--network=host"
+    ];
+    cmd = [
+      "tunnel"
+      "--no-autoupdate"
+      "run"
+      "--token"
+      secrets.capytal.cloudflare-funnel
+    ];
+    environment = {};
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    433
+  ];
 }