diff --git a/flake.lock b/flake.lock
index 2972d8a..df782b3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1768127708,
-        "narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=",
+        "lastModified": 1768305791,
+        "narHash": "sha256-AIdl6WAn9aymeaH/NvBj0H9qM+XuAuYbGMZaP0zcXAQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38",
+        "rev": "1412caf7bf9e660f2f962917c14b1ea1c3bc695e",
         "type": "github"
       },
       "original": {
diff --git a/hosts/puter/default.nix b/hosts/puter/default.nix
index b1bd13b..afc4f6e 100644
--- a/hosts/puter/default.nix
+++ b/hosts/puter/default.nix
@@ -8,6 +8,7 @@
     ./syncthing.nix
     ./packages.nix
     ./wireguard.nix
+    ./prometheus-node-exporter.nix
     #./remotebuild_user.nix
     # DE
     ../../modules/de/multiple-dms.nix
@@ -27,5 +28,10 @@
   networking.hostName = "puter";
   # This will be overridden by system/default.nix
   system.stateVersion = "24.05";
-  security.pki.certificates = ["/home/user/.config/bigbox.local.crt"];
+  networking.resolved = {
+    enable = true;
+    dns = ["dns.mycloudhaus.xyz"];
+    dnsOvertTls = true;
+    dnssec = true;
+  };
 }
diff --git a/hosts/puter/prometheus-node-exporter.nix b/hosts/puter/prometheus-node-exporter.nix
new file mode 100644
index 0000000..7668b0e
--- /dev/null
+++ b/hosts/puter/prometheus-node-exporter.nix
@@ -0,0 +1,27 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  # https://nixos.org/manual/nixos/stable/#module-services-prometheus-exporters
+  # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/exporters.nix
+  services.prometheus.exporters.node = {
+    enable = true;
+    port = 9100;
+    # For the list of available collectors, run, depending on your install:
+    # - Flake-based: nix run nixpkgs#prometheus-node-exporter -- --help
+    # - Classic: nix-shell -p prometheus-node-exporter --run "node_exporter --help"
+    enabledCollectors = [
+      "ethtool"
+      "softirqs"
+      "systemd"
+      "tcpstat"
+      "wifi"
+    ];
+    # You can pass extra options to the exporter using `extraFlags`, e.g.
+    # to configure collectors or disable those enabled by default.
+    # Enabling a collector is also possible using "--collector.[name]",
+    # but is otherwise equivalent to using `enabledCollectors` above.
+    # extraFlags = [ "--collector.ntp.protocol-version=4" "--no-collector.mdadm" ];
+  };
+}
diff --git a/hosts/puter/wireguard.nix b/hosts/puter/wireguard.nix
index a91caa8..fcc1174 100644
--- a/hosts/puter/wireguard.nix
+++ b/hosts/puter/wireguard.nix
@@ -3,18 +3,24 @@
   pkgs,
   ...
 }: {
-    networking.wireguard.interfaces = {
-      wg0 = {
-              ips = [ "10.0.0.3/32" ];
-              listenPort = 5553;
-              privateKeyFile = "/etc/wireguard/wg0.key";
-              peers = [
-              { # cloudhaus
-               publicKey = "SOqdU6uku2t0l8lGBDEnwDNHrb5Nk/64qA6++mGa+CI=";
-               allowedIPs = [ "10.0.0.1/32"];
-               endpoint = "46.62.255.194:51820";
-               persistentKeepalive = 25;
-              }];
-      };
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = ["10.0.0.3/32"];
+      listenPort = 5553;
+      privateKeyFile = "/etc/wireguard/wg0.key";
+      peers = [
+        {
+          # cloudhaus
+          publicKey = "SOqdU6uku2t0l8lGBDEnwDNHrb5Nk/64qA6++mGa+CI=";
+          allowedIPs = ["10.0.0.1/32"];
+          endpoint = "46.62.255.194:51820";
+          persistentKeepalive = 25;
+        }
+      ];
     };
+  };
+  networking.firewall.allowedTCPPorts = [9100];
+  networking.firewall.interfaces = {
+    wg0.allowedTCPPorts = [9100];
+  };
 }