diff --git a/machines/pedro/configuration.nix b/machines/pedro/configuration.nix
index f7e30f7..14b260c 100644
--- a/machines/pedro/configuration.nix
+++ b/machines/pedro/configuration.nix
@@ -67,25 +67,7 @@
         };
       };
     };
-    firewall = {
-      allowedTCPPorts = [
-        8384 22000  # syncthing
-        8080 8443 6789 8880 8843 27117  # unifi controller: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Network-Required-Ports-Reference
-        53 8088  # pihole
-        #3000  # gitea
-        #8081  # vaultwarden
-        #8000  # paperless
-        80 443  # reverse proxy
-      ];
-      allowedUDPPorts = [
-        22000 21027  # syncthing
-        3478 5514 10001 1900 123 # unifi
-        53  # pihole
-      ];
-      allowedUDPPortRanges = [
-        { from = 5656; to = 5699; }  # unifi
-      ];
-    };
+    firewall = import ./firewall.nix;
     timeServers = [ "192.168.88.1" ] ++ options.networking.timeServers.default;
   };
 
diff --git a/machines/pedro/firewall.nix b/machines/pedro/firewall.nix
new file mode 100644
index 0000000..df8efcc
--- /dev/null
+++ b/machines/pedro/firewall.nix
@@ -0,0 +1,19 @@
+{
+  allowedTCPPorts = [
+    8384 22000  # syncthing
+    8080 8443 6789 8880 8843 27117  # unifi controller: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Network-Required-Ports-Reference
+    53 8088  # pihole
+    #8123  # home-assistant
+    #3000  # gitea
+    #8081  # vaultwarden
+    80 443  # reverse proxy
+  ];
+  allowedUDPPorts = [
+    22000 21027  # syncthing
+    3478 5514 10001 1900 123 # unifi
+    53  # pihole
+  ];
+  allowedUDPPortRanges = [
+    { from = 5656; to = 5699; }  # unifi
+  ];
+}