diff --git a/hosts/Nixcloud/default.nix b/hosts/Nixcloud/default.nix
index 3ff32b6..dd56ec2 100644
--- a/hosts/Nixcloud/default.nix
+++ b/hosts/Nixcloud/default.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 {
   imports = [
     ./hardware-configuration.nix
@@ -16,9 +16,18 @@
 
   zramSwap.enable = true;
 
+  environment.systemPackages = with pkgs; [
+    git
+  ];
+
   networking.hostName = "srv1065175";
   networking.domain = "hstgr.cloud";
 
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 443 ];
+  };
+
   services.openssh.enable = true;
   users.users.root.openssh.authorizedKeys.keys = [
     ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCjC5EuxC6un3StoRkn1X1Mv09Mx1icGfN5fnlWRfqFPtiwAusJA+q0p2MktujY/+kDOpzExtjbXP5CtW7zcUfeitO26BY0WH106P4ttsq/0zzq5pmPXxGn9crN7JqFp3f9LMlL0F+3Oa0mJ6HcS2UgQEUYS6ofJBV1CLeMfkv75F+iy7AG1V9EaT4pvwdmAJ+6XXSo+UtadWOZGlWVRETyDcxa2H/aS/e+JrQfeAHM9f9cyeZqO9OHFWmuzHDc2T014+OhzzWnLUC/nUc1KUELvha1cT1ViMbcF62cjQXxip/5GGsIkw+7PdJFTn3ITwRO1+06qs6WnO4ceh8wIyOblUgTfRvIXkB7nnanC3CupqLbT+s/HeRiwnI4aih7lDrB717dPTy/ZfNXqxy1K51bZzRTXzkY+oUF1eqG37KvGoFZ6Zjf8KMrtTWBhqdIWV/kY4ZBTtvtiU81iXEWbobcyTzsIzKtZhCrGt+KxFUYV90u+ts3jrFdHIsN/tIzuEKz2ZZ8f749u2Q9jgIwe1KLtTwmSDjAV5gkbnE7ZDMB82pTzlwdrZ/VkCIu3/EtoWq3Y+NrKL4OzWL74Tzgsn28jvsegrnz5Lp24zPpNmBzCgbkwPStFjvp16G6pUiTLAAn9YiBqYbbvDbGxun55QMwYORGsdk5hISaC/cPzaUKkQ== thiago@sposito.ch''
diff --git a/hosts/Nixcloud/forgejo.nix b/hosts/Nixcloud/forgejo.nix
index 52189fe..5e74e92 100644
--- a/hosts/Nixcloud/forgejo.nix
+++ b/hosts/Nixcloud/forgejo.nix
@@ -7,7 +7,7 @@ in
 {
   security.acme = {
     acceptTerms = true;
-    defaults.email = "thiago@sposi.to";
+    defaults.email = "th.spo@pm.me";
   };
 
   services.nginx = {
@@ -15,6 +15,7 @@ in
     virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
+      # Allow HTTP initially for ACME challenge, will redirect to HTTPS once cert is ready
       extraConfig = ''
         client_max_body_size 512M;
       '';