diff --git a/hosts/quitte/network.nix b/hosts/quitte/network.nix
index fb1bcb9..f984edd 100644
--- a/hosts/quitte/network.nix
+++ b/hosts/quitte/network.nix
@@ -15,6 +15,7 @@
 
     firewall = {
       logRefusedConnections = false;
+      trustedInterfaces = [ "podman0"];
     };
   };
 
diff --git a/modules/ldap/default.nix b/modules/ldap/default.nix
index dc454e4..bdf3d3b 100644
--- a/modules/ldap/default.nix
+++ b/modules/ldap/default.nix
@@ -82,9 +82,4 @@ in
       };
     };
   };
-  networking.firewall = {
-    extraInputRules = ''
-      ip saddr { 141.30.86.192/26, 141.76.100.128/25, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
-    '';
-  };
 }
diff --git a/modules/stream.nix b/modules/stream.nix
index f76141a..5d36501 100644
--- a/modules/stream.nix
+++ b/modules/stream.nix
@@ -1,13 +1,12 @@
 { config, ... }:
+let cfg = config.services.owncast;
+in
 {
   services = {
     nginx = {
       virtualHosts = {
         "stream.${config.networking.domain}" = {
           locations."/" =
-            let
-              cfg = config.services.owncast;
-            in
             {
               proxyPass = "http://${toString cfg.listen}:${toString cfg.port}";
               proxyWebsockets = true;
@@ -19,8 +18,12 @@
       enable = true;
       port = 13142;
       listen = "[::ffff:127.0.0.1]";
-      openFirewall = true;
       rtmp-port = 1935;
     };
   };
+  networking.firewall = {
+    extraInputRules = ''
+      ip saddr {141.30.0.0/16, 141.76.0.0/16} tcp dport ${toString cfg.rtmp-port} accept comment "Allow rtmp access from campus nets"
+    '';
+  };
 }