diff --git a/nixos/base/ssh.nix b/nixos/base/ssh.nix
index f2fbee17..f2a587dc 100644
--- a/nixos/base/ssh.nix
+++ b/nixos/base/ssh.nix
@@ -15,7 +15,7 @@ in {
 
   services.openssh = {
     enable = mkDefault true;
-    ports = mkDefault [publicPort 22];
+    ports = [publicPort 22];
     openFirewall = mkDefault false;
     settings = {
       PasswordAuthentication = mkDefault false;
diff --git a/systems/hakurei/reisen-ssh.nix b/systems/hakurei/reisen-ssh.nix
index 44b59f12..bae07168 100644
--- a/systems/hakurei/reisen-ssh.nix
+++ b/systems/hakurei/reisen-ssh.nix
@@ -5,6 +5,7 @@
   ...
 }: let
   inherit (lib.modules) mkAfter;
+  sshPort = 41022;
   username = "tf-proxmox";
   sshJump = pkgs.writeShellScript "ssh-jump-${username}" ''
     exec ssh -T \
@@ -18,7 +19,9 @@ in {
     hashedPasswordFile = config.sops.secrets.tf-proxmox-passwd.path;
     isNormalUser = true;
   };
+
   services.openssh = {
+    ports = mkAfter [ sshPort ];
     settings = {
       KbdInteractiveAuthentication = true;
       PasswordAuthentication = true;
@@ -28,6 +31,9 @@ in {
         ForceCommand ${sshJump}
     '';
   };
+
+  networking.firewall.allowedTCPPorts = [ sshPort ];
+
   sops.secrets = {
     tf-proxmox-passwd = { };
     tf-proxmox-identity = {