diff --git a/group_vars/monitoring.yaml b/group_vars/monitoring.yaml
index 51d9b97..f788245 100644
--- a/group_vars/monitoring.yaml
+++ b/group_vars/monitoring.yaml
@@ -3,6 +3,11 @@ monitoring_bootstrap_cert: no
 acme_san_domains:
   - ["{{ monitoring_domain }}", monitoring.bitlair.nl]
 
+nft: true
+group_nft_input:
+  - "# Allow web-traffic from world"
+  - "tcp dport { http, https } accept"
+
 prometheus_scrape_configs:
   - job_name: "node"
     static_configs:
diff --git a/group_vars/services.yaml b/group_vars/services.yaml
new file mode 100644
index 0000000..2fdfaaf
--- /dev/null
+++ b/group_vars/services.yaml
@@ -0,0 +1,5 @@
+---
+
+nft: true
+group_nft_input: []
+#  - "udp dport 4000 accept  # FIXME, werkt op dit moment toch niet hoor ik van AK
diff --git a/group_vars/wiki.yaml b/group_vars/wiki.yaml
index e9a1937..6c517e7 100644
--- a/group_vars/wiki.yaml
+++ b/group_vars/wiki.yaml
@@ -4,6 +4,14 @@ acme_san_domains:
   - [ bitair.nl ]
   - [ ravespace.nl ]
 
+nft: true
+
+group_nft_input:
+  - "# Allow web-traffic from world"
+  - "tcp dport { http, https } accept"
+  - "# mqtt from world"
+  - "tcp dport { 1883 } accept"
+
 nginx_sites:
   - server_name: "bitlair.nl"
     server_alias: "wiki.bitlair.nl www.bitlair.nl cyber.bitlair.nl"