diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix
index 77e94a8..03dda99 100644
--- a/hosts/architect/default.nix
+++ b/hosts/architect/default.nix
@@ -9,7 +9,7 @@ let
 in
 {
   imports = [
-    # Include the results of the hardware scan.
+    ./options.nix
     ./backup.nix
     ./hardware.nix
     ./firewall.nix
@@ -132,6 +132,11 @@ in
     driSupport = true;
   };
 
+  architect.firewall = {
+    openTCP = [ 22 ];
+    openTCPVPN = [ 22 ];
+  };
+  
   services = {
     fwupd.enable = true;
     das_watchdog.enable = true;
diff --git a/hosts/architect/deluge.nix b/hosts/architect/deluge.nix
index 1a5c131..cf3a781 100644
--- a/hosts/architect/deluge.nix
+++ b/hosts/architect/deluge.nix
@@ -4,8 +4,15 @@ let
   domain = "htdel.giugl.io";
   network = import ./network.nix;
   auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
+
+  listenPorts = [ 51413 51414 ];
 in
 {
+  architect.firewall = {
+    openTCP = listenPorts;
+    openUDP = listenPorts;
+  };
+
   services = {
     deluge = {
       enable = true;
@@ -24,7 +31,7 @@ in
         max_connections_global = 1000;
         max_active_limit = 100;
         max_active_downloading = 100;
-        listen_ports = [ 51413 51414 ];
+        listen_ports = listenPorts;
         random_port = false;
         enabled_plugins = [ "Label" "Extractor" ];
       };
diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix
index d8542e7..4121292 100644
--- a/hosts/architect/dns.nix
+++ b/hosts/architect/dns.nix
@@ -6,6 +6,8 @@ let
   dnscrypt_listen_port = "5353";
 in
 {
+  architect.firewall.openUDPVPN = [ 53 ];
+
   services = {
     dnsmasq = {
       enable = true;
diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix
index c25ab23..0d09838 100644
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@@ -1,54 +1,13 @@
 { config, lib, ... }:
 
 with import ./network.nix;
+with lib;
 
 let
-  # TCP services
-  ssh_tcp = 22;
-  http_tcp = 80;
-  https_tcp = 443;
-  synapse_tcp = 8448;
-  gitea_tcp = 10022;
-  prosody_tcp = 5222;
-  minecraft_tcp = 25565;
-
-  # UDP services
-  dns_udp = 53;
-  wireguard_udp = 1194;
-
-  # TCP/UDP services
-  torrent_a = 51413;
-  torrent_b = 51414;
-
-  # grouping
-  open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [
-    ssh_tcp
-    http_tcp
-    https_tcp
-    synapse_tcp
-    gitea_tcp
-    torrent_a
-    torrent_b
-    minecraft_tcp
-  ];
-  open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
-    wireguard_udp
-    torrent_a
-    torrent_b
-    config.services.tailscale.port
-  ];
-  open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
-    ssh_tcp
-    http_tcp
-    https_tcp
-    prosody_tcp
-    minecraft_tcp
-  ];
-  open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
-    dns_udp
-    wireguard_udp
-  ];
-
+  openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
+  openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
+  openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
+  openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
 in
 {
   networking = {
@@ -161,10 +120,11 @@ in
             ip saddr ${tailscale-net} accept comment "tailscale > local"
             ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
 
-            iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
-            iifname ${wan-if} udp dport {${open_udp_ports}} accept
-            iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
-            iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
+            iifname ${wan-if} tcp dport {${openTCP}} accept
+            iifname ${wan-if} udp dport {${openUDP}} accept
+            iifname ${vpn-if} tcp dport {${openTCPVPN}} accept
+            iifname ${vpn-if} udp dport {${openUDPVPN}} accept
+                      
             iifname ${vpn-if} icmp type echo-request accept
             iifname ${docker-if} udp dport 53 accept
             jump filter_drop
diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix
index bc1bb3d..3f4c8a9 100644
--- a/hosts/architect/gitea.nix
+++ b/hosts/architect/gitea.nix
@@ -1,11 +1,12 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   domain = "git.giugl.io";
   network = import ./network.nix;
-  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
 in
 {
+  architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
+
   services.gitea = {
     enable = true;
     database.type = "sqlite3";
diff --git a/hosts/architect/minecraft.nix b/hosts/architect/minecraft.nix
index af78431..96a4a35 100644
--- a/hosts/architect/minecraft.nix
+++ b/hosts/architect/minecraft.nix
@@ -5,6 +5,8 @@ let
   network = import ./network.nix;
 in
 {
+  architect.firewall.openTCP = [ 25565 ];
+  
   services.minecraft-server = {
     enable = true;
     eula = true;
diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix
index 0cbfe53..6f053a7 100644
--- a/hosts/architect/nginx.nix
+++ b/hosts/architect/nginx.nix
@@ -1,6 +1,11 @@
 { services, pkgs, lib, ... }:
 
 {
+  architect.firewall = {
+    openTCP = [ 80 443 ];
+    openTCPVPN = [ 80 443 ];
+  };
+
   services.nginx = {
     enable = true;
     package = pkgs.openresty;
diff --git a/hosts/architect/options.nix b/hosts/architect/options.nix
new file mode 100644
index 0000000..5f530b9
--- /dev/null
+++ b/hosts/architect/options.nix
@@ -0,0 +1,25 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  options.architect.firewall = {
+    openTCP = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+    openUDP = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+    openTCPVPN = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+    openUDPVPN = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+  };
+
+}
diff --git a/hosts/architect/tailscale.nix b/hosts/architect/tailscale.nix
index 49fd1ad..43dcab0 100644
--- a/hosts/architect/tailscale.nix
+++ b/hosts/architect/tailscale.nix
@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   network = import ./network.nix;
@@ -6,6 +6,8 @@ let
   ifname = "ts0";
 in
 {
+  architect.firewall.openUDP = [ config.services.tailscale.port ];
+
   services = {
     tailscale = {
       enable = true;
diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix
index cddca63..bb8b5f9 100644
--- a/hosts/architect/wireguard.nix
+++ b/hosts/architect/wireguard.nix
@@ -1,4 +1,14 @@
-with import ./network.nix; {
+{ config, lib, ... }:
+with import ./network.nix;
+let
+  listenPort = 1194;
+in
+{
+  architect.firewall = {
+    openUDP = lib.singleton listenPort;
+    openUDPVPN = lib.singleton listenPort;
+  };
+
   networking = {
     extraHosts = ''
       ${architect-wg} architect.devs.giugl.io
@@ -37,7 +47,8 @@ with import ./network.nix; {
 
     wireguard = {
       interfaces.${vpn-if} = {
-        listenPort = 1194;
+        inherit listenPort;
+
         ips = [ "10.3.0.1/24" ];
         privateKeyFile = "/secrets/wireguard/server.key";