diff --git a/hosts/alo-cloud-1/default.nix b/hosts/alo-cloud-1/default.nix
index 2d3c614..c63e340 100644
--- a/hosts/alo-cloud-1/default.nix
+++ b/hosts/alo-cloud-1/default.nix
@@ -24,4 +24,20 @@
     externalInterface = "enp1s0";
     internalInterfaces = [ "tailscale0" ];
   };
+
+  # Security hardening: Enable firewall (override global setting)
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 443 ];  # Public web traffic only
+    allowedUDPPorts = [ 41641 ];   # Tailscale
+    trustedInterfaces = [ "tailscale0" ];  # Full access via VPN
+  };
+
+  # Security hardening: Restrict SSH to Tailscale only + key-based auth
+  services.openssh = {
+    listenAddresses = [
+      { addr = "100.75.147.49"; port = 22; }  # Tailscale IP only
+    ];
+    settings.PasswordAuthentication = false;  # Keys only
+  };
 }