diff --git a/hosts/by-name/servo/services/prosody.nix b/hosts/by-name/servo/services/prosody.nix
index 13de9c2c..985f0592 100644
--- a/hosts/by-name/servo/services/prosody.nix
+++ b/hosts/by-name/servo/services/prosody.nix
@@ -45,9 +45,6 @@
 # - ensure muc is working
 # - enable file uploads
 #   - "upload.xmpp.uninsane.org:http_upload: URL: <https://upload.xmpp.uninsane.org:5281/upload> - Ensure this can be reached by users"
-# - move proxy65 to own port
-#   - "portmanager: Failed to open server port 5000 on *, this port is in use by another application"
-#   - port 5000 is in use by nix-serve (`sudo lsof -P -i4`)
 # - disable or fix bosh (jabber over http):
 #   - "certmanager: No certificate/key found for client_https port 0"
 
@@ -61,6 +58,12 @@ in
   sane.persist.sys.plaintext = [
     { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; }
   ];
+  sane.ports.ports."5000" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-xmpp-prosody-fileshare-proxy65";
+  };
   sane.ports.ports."5222" = {
     protocol = [ "tcp" ];
     visibleTo.lan = true;
@@ -207,6 +210,7 @@ in
     # - private
     #   - XEP-0049: let clients store arbitrary (private) data on the server
     # - proxy65
+    #   - XEP-0065: allow server to proxy file transfers between two clients who are behind NAT
     # - register
     # - roster
     # - saslauth
@@ -217,7 +221,6 @@ in
     # - vcard_legacy
     # - version
 
-    modules.proxy65 = false;  # TODO: free its port 5000 and then re-enable
     extraModules = [
       # admin_shell: allows `prosodyctl shell` to work
       # see: <https://prosody.im/doc/modules/mod_admin_shell>
diff --git a/hosts/modules/nixcache.nix b/hosts/modules/nixcache.nix
index 5de8076b..f87b4502 100644
--- a/hosts/modules/nixcache.nix
+++ b/hosts/modules/nixcache.nix
@@ -45,7 +45,7 @@ in
     # - `nix build ... --substituters http://desko:5000`
     nix.settings.substituters = mkIf cfg.enable (lib.flatten [
       (lib.optional cfg.substituters.servo  "https://nixcache.uninsane.org")
-      (lib.optional cfg.substituters.desko  "http://desko:5000")
+      (lib.optional cfg.substituters.desko  "http://desko:${builtins.toString config.sane.service.nixserve.port}")
       (lib.optional cfg.substituters.nixos  "https://cache.nixos.org/")
       (lib.optional cfg.substituters.cachix "https://nix-community.cachix.org")
     ]);
diff --git a/modules/services/nixserve.nix b/modules/services/nixserve.nix
index cfc3e620..5463184e 100644
--- a/modules/services/nixserve.nix
+++ b/modules/services/nixserve.nix
@@ -13,6 +13,10 @@ in
       default = false;
       type = types.bool;
     };
+    sane.services.nixserve.port = mkOption {
+      default = 5001;
+      type = types.port;
+    };
     sane.services.nixserve.secretKeyFile = mkOption {
       type = types.path;
       description = "path to file that contains the nix_serve_privkey secret (should not be in the store)";
@@ -22,8 +26,12 @@ in
   config = mkIf cfg.enable {
     services.nix-serve = {
       enable = true;
-      inherit (cfg) secretKeyFile;
-      openFirewall = true;  # not needed for servo; only desko
+      inherit (cfg) port secretKeyFile;
+    };
+    sane.ports.ports."${builtins.toString cfg.port}" = {
+      visibleTo.lan = true;  # not needed for servo; only desko
+      protocol = [ "tcp" ];
+      description = "colin-nix-serve-cache";
     };
   };
 }