diff --git a/nixos/modules/services/networking/spacecookie.nix b/nixos/modules/services/networking/spacecookie.nix
index 4ddb137876d2..adba0fbfbf22 100644
--- a/nixos/modules/services/networking/spacecookie.nix
+++ b/nixos/modules/services/networking/spacecookie.nix
@@ -37,12 +37,19 @@ in {
         '';
       };
 
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to open the necessary port in the firewall for spacecookie.
+        '';
+      };
+
       port = mkOption {
         type = types.port;
         default = 70;
         description = ''
-          Port the gopher service should be exposed on. The
-          firewall is not opened automatically.
+          Port the gopher service should be exposed on.
         '';
       };
 
@@ -100,5 +107,9 @@ in {
         RestrictAddressFamilies = "AF_UNIX AF_INET6";
       };
     };
+
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.port ];
+    };
   };
 }
diff --git a/nixos/tests/spacecookie.nix b/nixos/tests/spacecookie.nix
index d3411da8e925..19db520984be 100644
--- a/nixos/tests/spacecookie.nix
+++ b/nixos/tests/spacecookie.nix
@@ -9,7 +9,6 @@ in
     name = "spacecookie";
     nodes = {
       ${gopherHost} = {
-        networking.firewall.allowedTCPPorts = [ 70 ];
         systemd.services.spacecookie = {
           preStart = ''
             mkdir -p ${gopherRoot}/directory
@@ -21,6 +20,7 @@ in
           enable = true;
           root = gopherRoot;
           hostname = gopherHost;
+          openFirewall = true;
         };
       };