diff --git a/app/sovran_systemsos_web/server.py b/app/sovran_systemsos_web/server.py
index 19b698b..6500e7e 100644
--- a/app/sovran_systemsos_web/server.py
+++ b/app/sovran_systemsos_web/server.py
@@ -291,7 +291,7 @@ _PORTS_ELEMENT_CALLING = _PORTS_WEB + [
 
 SERVICE_PORT_REQUIREMENTS: dict[str, list[dict]] = {
     # Infrastructure
-    "caddy.service":                    _PORTS_WEB,
+    "caddy.service":                    [],
     # Communication
     "matrix-synapse.service":           _PORTS_MATRIX_FEDERATION,
     "livekit.service":                  _PORTS_ELEMENT_CALLING,
diff --git a/configuration.nix b/configuration.nix
index 55032cc..2f2686d 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -31,8 +31,8 @@
   networking.hostName = "nixos";
   networking.networkmanager.enable = true;
   networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 80 443 8448 3051 ];
-  networking.firewall.allowedUDPPorts = [ 80 443 8448 3051 5353 ];
+  networking.firewall.allowedTCPPorts = [ 8448 3051 ];
+  networking.firewall.allowedUDPPorts = [ 8448 3051 5353 ];
 
   # ── Avahi (mDNS) ───────────────────────────────────────────
   services.avahi = {
diff --git a/modules/bitcoinecosystem.nix b/modules/bitcoinecosystem.nix
index c40a8a4..76f4166 100755
--- a/modules/bitcoinecosystem.nix
+++ b/modules/bitcoinecosystem.nix
@@ -55,7 +55,7 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {
   };
 
   services.btcpayserver = {
-    enable = true;
+    enable = config.sovran_systemsOS.web.btcpayserver;
   };
 
   services.btcpayserver.lightningBackend = "lnd";
diff --git a/modules/core/caddy.nix b/modules/core/caddy.nix
index 1736e6c..7d032d3 100755
--- a/modules/core/caddy.nix
+++ b/modules/core/caddy.nix
@@ -3,6 +3,16 @@
 let
   exposeBtcpay = config.sovran_systemsOS.web.btcpayserver;
   extraVhosts = config.sovran_systemsOS.caddy.extraVirtualHosts;
+
+  # True when any service needs HTTPS/ACME (domain-based vhosts)
+  needsHttpsPorts =
+    config.sovran_systemsOS.web.btcpayserver
+    || config.sovran_systemsOS.services.synapse
+    || config.sovran_systemsOS.services.wordpress
+    || config.sovran_systemsOS.services.nextcloud
+    || config.sovran_systemsOS.services.vaultwarden
+    || config.sovran_systemsOS.features.haven
+    || config.sovran_systemsOS.features.element-calling;
 in
 {
   services.caddy = {
@@ -11,6 +21,10 @@ in
     group = "root";
   };
 
+  # Only open ports 80/443 when at least one domain-based service is active
+  networking.firewall.allowedTCPPorts = lib.mkIf needsHttpsPorts [ 80 443 ];
+  networking.firewall.allowedUDPPorts = lib.mkIf needsHttpsPorts [ 80 443 ];
+
   systemd.tmpfiles.rules = [
     "d /var/lib/domains 0755 caddy root -"
   ];
@@ -55,12 +69,20 @@ in
       HAVEN=$(read_domain haven)
       ACME_EMAIL=$(read_domain sslemail)
 
-      # Start with global config
+      # Start with global config — use ACME only when domain-based services are active
+      ${if needsHttpsPorts then ''
       cat > /run/caddy/Caddyfile <<EOF
 {
   email $ACME_EMAIL
 }
 EOF
+      '' else ''
+      cat > /run/caddy/Caddyfile <<EOF
+{
+  auto_https off
+}
+EOF
+      ''}
 
       # ── Matrix ──────────────────────────────────────
       if [ -n "$MATRIX" ]; then
diff --git a/modules/core/role-logic.nix b/modules/core/role-logic.nix
index 88e8d70..0a09f14 100755
--- a/modules/core/role-logic.nix
+++ b/modules/core/role-logic.nix
@@ -5,6 +5,7 @@
 
     # ── Server+Desktop Role (default) ─────────────────────────
     (lib.mkIf config.sovran_systemsOS.roles.server_plus_desktop {
+      sovran_systemsOS.web.btcpayserver = lib.mkDefault true;
     })
 
     # ── Desktop Only Role ─────────────────────────────────────
diff --git a/modules/core/roles.nix b/modules/core/roles.nix
index 95d5a2e..45e9483 100755
--- a/modules/core/roles.nix
+++ b/modules/core/roles.nix
@@ -55,7 +55,7 @@
     web = {
       btcpayserver = lib.mkOption {
         type = lib.types.bool;
-        default = true;
+        default = false;
         description = "Expose BTCPay Server via Caddy";
       };
     };