diff --git a/roles/alpine/templates/local.nft.j2 b/roles/alpine/templates/local.nft.j2
index d6ed6af..463a77b 100644
--- a/roles/alpine/templates/local.nft.j2
+++ b/roles/alpine/templates/local.nft.j2
@@ -14,7 +14,7 @@ table inet filter {
         ip6 saddr { {{ prefixes | ipv6 | join(', ') }} } {{ service.protocol.value }} dport { {{ ports }} } accept
 {% endif %}
 {% else %}
-        {{ service.protocol.value }} dport { {{ ports }} } accept
+        tcp dport { {{ ports }} } accept
 {% endif %}
 
 {% endfor %}
diff --git a/roles/facts/tasks/main.yml b/roles/facts/tasks/main.yml
index d34a6a7..914e128 100644
--- a/roles/facts/tasks/main.yml
+++ b/roles/facts/tasks/main.yml
@@ -8,7 +8,7 @@
         prefixes: '{{ query("netbox.netbox.nb_lookup", "prefixes", raw_data=true)
             | sort(attribute="prefix") | sort(attribute="family.value") }}'
 
-    - when: 'cluster is defined and not is_virtual'
+    - when: 'cluster is defined'
       block:
         - name: Get my cluster and all nodes in it
           set_fact:
diff --git a/roles/proxmox/tasks/main.yml b/roles/proxmox/tasks/main.yml
index 64ee9f7..84fe500 100644
--- a/roles/proxmox/tasks/main.yml
+++ b/roles/proxmox/tasks/main.yml
@@ -50,13 +50,6 @@
     dest: /etc/sysctl.d/local.conf
     src: sysctl.conf
 
-- name: Set domain for ACME certificate renewals
-  command:
-    cmd: 'pvenode config set --acme domains={{ interfaces | selectattr("name", "==", "lo")
-             | map(attribute="ip_addresses") | flatten | map(attribute="dns_name")
-             | sort | unique | join(";") }}'
-  changed_when: false # maybe write a proper check if certificate requests are ever ansibled
-
 - include_tasks: firewall.yml
 
 - include_tasks: user.yml
diff --git a/roles/proxmox/templates/cluster.fw.j2 b/roles/proxmox/templates/cluster.fw.j2
index 519d8e1..a5981ba 100644
--- a/roles/proxmox/templates/cluster.fw.j2
+++ b/roles/proxmox/templates/cluster.fw.j2
@@ -6,23 +6,16 @@ enable: 1
 
 IN Ping(ACCEPT) -log nolog # don’t be rude
 IN SSH(ACCEPT) -i mgmt # for ansible etc.
-IN HTTP(ACCEPT) # allow HTTP connections for renewing certificates with ACME
-
 IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 4) | map(attribute='address') | join(',') }} # my cluster
 IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 6) | map(attribute='address') | join(',') }} # my cluster
-
 {% for service in cluster_services %}
 {% set prefixes = service | allowed_prefixes %}
 {% set ports = service.ports | compact_numlist(range_delimiter=':') %}
-{% if prefixes %}
 {% if prefixes | ipv4 %}
 IN ACCEPT -source {{ prefixes | ipv4 | join(',') }} -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
 {% endif %}
 {% if prefixes | ipv6 %}
 IN ACCEPT -source {{ prefixes | ipv6 | join(',') }} -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
 {% endif %}
-{% else %}
-IN ACCEPT -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
-{% endif %}
 {% endfor %}