diff --git a/hosts/legion/default.nix b/hosts/legion/default.nix
index e3b4b2d..59fad3e 100644
--- a/hosts/legion/default.nix
+++ b/hosts/legion/default.nix
@@ -30,7 +30,6 @@
         hostName = "legion";
         hostId = builtins.substring 0 8 (builtins.readFile ./machine-id);
         networkmanager.enable = true;
-        firewall.trustedInterfaces = [ "tailscale0" ];
         nftables.enable = true;
       };
       systemd.services.NetworkManager-wait-online.enable = false;
diff --git a/modules/system/settei/sane-defaults.nix b/modules/system/settei/sane-defaults.nix
index 7954343..ba1ddb6 100644
--- a/modules/system/settei/sane-defaults.nix
+++ b/modules/system/settei/sane-defaults.nix
@@ -29,6 +29,7 @@ let
 
       # FIXME: Move to common
       services.tailscale.enable = true;
+      networking.firewall.trustedInterfaces = [ "tailscale0" ];
 
       networking.hostName = lib.mkDefault (
         args.configurationName