diff --git a/hosts/marr/default.nix b/hosts/marr/default.nix
index e85b67a..5cf650a 100644
--- a/hosts/marr/default.nix
+++ b/hosts/marr/default.nix
@@ -151,21 +151,18 @@
 
   security.polkit.enable = true;
 
-  virtualisation.libvirtd.enable = true;
-  programs.virt-manager.enable = true;
+  virtualisation = {
+    libvirtd.enable = true;
+  };
 
   programs.nix-ld.enable = true;
 
   environment.systemPackages = with pkgs; [
     shared-mime-info
     glib
-    wireguard-tools
     dconf
     xdg-utils
     brightnessctl
-    pop-icon-theme
-
-    kicad-small
   ];
 
   system.stateVersion = "24.11";
diff --git a/hosts/raptus/default.nix b/hosts/raptus/default.nix
index 84e60b8..f16d22d 100644
--- a/hosts/raptus/default.nix
+++ b/hosts/raptus/default.nix
@@ -79,7 +79,7 @@ in
 
   networking = {
     nftables.enable = true;
-    firewall = lib.mkForce {
+    firewall = {
       enable = true;
       allowedTCPPorts = [
         80 # for acme challenges
@@ -109,6 +109,8 @@ in
     port = 22;
   };
 
+  services.fail2ban.enable = true;
+
   environment.systemPackages = map lib.lowPrio [
     pkgs.curl
     pkgs.gitMinimal
diff --git a/hosts/raptus/forgejo.nix b/hosts/raptus/forgejo.nix
index cab38b4..2c69f4a 100644
--- a/hosts/raptus/forgejo.nix
+++ b/hosts/raptus/forgejo.nix
@@ -1,6 +1,7 @@
 { config, pkgs, ... }:
 let
   domain = "git.ccnlc.eu";
+  sshPort = 2222;
 in
 {
   systemd.tmpfiles.rules =
@@ -15,7 +16,7 @@ in
       "L+ ${config.services.forgejo.customDir}/public/robots.txt - - - - ${robots.outPath}"
     ];
 
-  networking.firewall.allowedTCPPorts = [ 2222 ];
+  networking.firewall.allowedTCPPorts = [ sshPort ];
 
   services.nginx = {
     enable = true;
@@ -43,8 +44,8 @@ in
 
     settings = {
       server = {
-        SSH_PORT = 2222;
-        SSH_LISTEN_PORT = 2222;
+        SSH_PORT = sshPort;
+        SSH_LISTEN_PORT = sshPort;
         START_SSH_SERVER = true;
         DOMAIN = domain;
         HTTP_PORT = 3000;