diff --git a/hosts/hydrogen/services/default.nix b/hosts/hydrogen/services/default.nix
index 03b36fd..dbf16f3 100644
--- a/hosts/hydrogen/services/default.nix
+++ b/hosts/hydrogen/services/default.nix
@@ -6,4 +6,11 @@
     ./nginx
     ./ssh
   ];
+
+  networking.firewall = {
+    allowedTCPPorts = [
+      80 # http
+      443 # https / tls
+    ];
+  };
 }
diff --git a/hosts/hydrogen/system/networking/default.nix b/hosts/hydrogen/system/networking/default.nix
index 5affbdf..e99c7f5 100644
--- a/hosts/hydrogen/system/networking/default.nix
+++ b/hosts/hydrogen/system/networking/default.nix
@@ -8,14 +8,5 @@
 
     # domain name servers, use clouflare family
     nameservers = ["1.1.1.2" "1.0.0.2"];
-
-    # TODO: bouger ça à côté des applications
-    firewall = {
-      allowedTCPPorts = [
-        624 # ssh
-        80 # http
-        443 # https
-      ];
-    };
   };
 }