diff --git a/hosts/plover/config/wezterm/config.lua b/hosts/plover/config/wezterm/config.lua
index 14f8283e..3f07e4d1 100644
--- a/hosts/plover/config/wezterm/config.lua
+++ b/hosts/plover/config/wezterm/config.lua
@@ -1,10 +1,12 @@
 return {
 	tls_servers = {
+        -- These are expected to be imported through systemd LoadCredentials
+        -- directive.
         {
             pem_private_key = os.getenv("CREDENTIALS_DIRECTORY") .. "/key.pem",
             pem_cert = os.getenv("CREDENTIALS_DIRECTORY") .. "/cert.pem",
             pem_ca = os.getenv("CREDENTIALS_DIRECTORY") .. "/fullchain.pem",
-            bind_address = "@domain@:@port@",
+            bind_address = "@listen_address@",
         },
 	},
 }
diff --git a/hosts/plover/modules/services/wezterm-mux-server.nix b/hosts/plover/modules/services/wezterm-mux-server.nix
index 0a2c460c..027f8663 100644
--- a/hosts/plover/modules/services/wezterm-mux-server.nix
+++ b/hosts/plover/modules/services/wezterm-mux-server.nix
@@ -3,21 +3,22 @@
 # We're setting up Wezterm mux server with TLS domains.
 let
   weztermDomain = "mux.${config.networking.domain}";
+  port = 9801;
+  listenAddress = "127.0.0.1:${builtins.toString port}";
 
   configFile = pkgs.substituteAll {
     src = ../../config/wezterm/config.lua;
-    domain = weztermDomain;
-    port = 9801;
+    listen_address = listenAddress;
   };
 in
 {
   services.wezterm-mux-server = {
     enable = true;
     inherit configFile;
-    user = "plover";
-    group = "users";
   };
 
+  networking.firewall.allowedTCPPorts = [ port ];
+
   systemd.services.wezterm-mux-server = {
     requires = [ "acme-finished-${weztermDomain}.target" ];
     environment.WEZTERM_LOG = "info";