diff --git a/hosts/vps/modules/network.nix b/hosts/vps/modules/network.nix
index 71c955f..710509f 100644
--- a/hosts/vps/modules/network.nix
+++ b/hosts/vps/modules/network.nix
@@ -5,7 +5,7 @@
   networking.domain = "";
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 22 80 443 ];
+    allowedTCPPorts = [ 80 443 ];
   };
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
 }
diff --git a/hosts/vps/modules/services/openssh.nix b/hosts/vps/modules/services/openssh.nix
index 728a51e..808e42e 100644
--- a/hosts/vps/modules/services/openssh.nix
+++ b/hosts/vps/modules/services/openssh.nix
@@ -1,6 +1,7 @@
 {
   services.openssh = {
     enable = true;
+    openFirewall = false;
     settings = {
       PasswordAuthentication = false;
       PermitRootLogin = "prohibit-password";
diff --git a/hosts/vps/modules/services/tailscale.nix b/hosts/vps/modules/services/tailscale.nix
index 85f7a0d..da69499 100644
--- a/hosts/vps/modules/services/tailscale.nix
+++ b/hosts/vps/modules/services/tailscale.nix
@@ -8,5 +8,6 @@
     authKeyFile = config.sops.secrets."tailscale/authkey".path;
     useRoutingFeatures = "both";
     permitCertUid = "caddy";
+    extraUpFlags = [ "--ssh" ];
   };
 }