diff --git a/hosts/canopus/default.nix b/hosts/canopus/default.nix
index 4dcac2a..1b282bc 100755
--- a/hosts/canopus/default.nix
+++ b/hosts/canopus/default.nix
@@ -24,7 +24,7 @@
     };
     firewall = {
       enable = true;
-      allowedTCPPorts = [80 443 3000 6666 8081];
+      allowedTCPPorts = [80 443 22 3000 6666 8081];
       allowedTCPPortRanges = [
         {
           from = 1714;
diff --git a/hosts/controller/default.nix b/hosts/controller/default.nix
index 1ac92df..bb118e9 100644
--- a/hosts/controller/default.nix
+++ b/hosts/controller/default.nix
@@ -47,6 +47,10 @@
 
   networking = {
     hostName = "controller";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [80 443 22];
+    };
   };
 
   security = {
diff --git a/modules/nixos/headscale.nix b/modules/nixos/headscale.nix
index 1d83932..3cf1eab 100644
--- a/modules/nixos/headscale.nix
+++ b/modules/nixos/headscale.nix
@@ -60,6 +60,5 @@
     };
   };
 
-  networking.firewall.allowedTCPPorts = [80 443];
   environment.systemPackages = with pkgs; [headscale];
 }