diff --git a/flake.lock b/flake.lock
index 89c875f..7660bd0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -172,11 +172,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764627417,
-        "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=",
+        "lastModified": 1765326679,
+        "narHash": "sha256-fTLX9kDwLr9Y0rH/nG+h1XG5UU+jBcy0PFYn5eneRX8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3",
+        "rev": "d64e5cdca35b5fad7c504f615357a7afe6d9c49e",
         "type": "github"
       },
       "original": {
@@ -479,16 +479,17 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1764955954,
-        "narHash": "sha256-f/WcyqN5K4ATWYn84915zVNlHGE8jDFiQRaNbx2A3ew=",
-        "owner": "nixos",
-        "repo": "infra",
-        "rev": "6fecd0f4442ca78ac2e4102c159f4f7672a46906",
+        "lastModified": 1765397887,
+        "narHash": "sha256-lZbqYO2+4D6hjJvWr6bo7uwV6/J4Bc8xaMpVBhXS9EI=",
+        "owner": "helsinki-systems",
+        "repo": "nixos-infra",
+        "rev": "f7d084e5778bdb9e24ba7f60cabac7e414d778a0",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
-        "repo": "infra",
+        "owner": "helsinki-systems",
+        "ref": "upd/queue-runner",
+        "repo": "nixos-infra",
         "type": "github"
       }
     },
@@ -613,11 +614,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1764983851,
-        "narHash": "sha256-y7RPKl/jJ/KAP/VKLMghMgXTlvNIJMHKskl8/Uuar7o=",
+        "lastModified": 1765311797,
+        "narHash": "sha256-mSD5Ob7a+T2RNjvPvOA1dkJHGVrNVl8ZOrAwBjKBDQo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d9bc5c7dceb30d8d6fafa10aeb6aa8a48c218454",
+        "rev": "09eb77e94fa25202af8f3e81ddc7353d9970ac1b",
         "type": "github"
       },
       "original": {
@@ -650,11 +651,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1764950072,
-        "narHash": "sha256-BmPWzogsG2GsXZtlT+MTcAWeDK5hkbGRZTeZNW42fwA=",
+        "lastModified": 1765186076,
+        "narHash": "sha256-hM20uyap1a0M9d344I692r+ik4gTMyj60cQWO+hAYP8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f61125a668a320878494449750330ca58b78c557",
+        "rev": "addf7cf5f383a3101ecfba091b98d0a1263dc9b8",
         "type": "github"
       },
       "original": {
@@ -664,6 +665,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-unstable-helsinki": {
+      "locked": {
+        "lastModified": 1765389121,
+        "narHash": "sha256-lYBYkPBCsdbfHhrSw4Ac+i6lwS3O2WTFQSjTEI9vouk=",
+        "owner": "helsinki-systems",
+        "repo": "nixpkgs",
+        "rev": "7ea17890e59684c4be74041e7166687e5ee0d04d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "helsinki-systems",
+        "ref": "feat/nix-daemon-firewall",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "ofborg": {
       "inputs": {
         "nixpkgs": [
@@ -731,6 +748,7 @@
         "infra": "infra",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "nixpkgs-unstable-helsinki": "nixpkgs-unstable-helsinki",
         "ofborg": "ofborg",
         "ofborg-viewer": "ofborg-viewer",
         "sops-nix": "sops-nix_2",
@@ -790,11 +808,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765079830,
-        "narHash": "sha256-i9GMbBLkeZ7MVvy7+aAuErXkBkdRylHofrAjtpUPKt8=",
+        "lastModified": 1765231718,
+        "narHash": "sha256-qdBzo6puTgG4G2RHG0PkADg22ZnQo1JmSVFRxrD4QM4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "aeb517262102f13683d7a191c7e496b34df8d24c",
+        "rev": "7fd1416aba1865eddcdec5bb11339b7222c2363e",
         "type": "github"
       },
       "original": {
@@ -831,11 +849,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764811239,
-        "narHash": "sha256-O98nsREqOegA/ckOi1lj5cC8+FlzZmgE2q2RD9eKrnw=",
+        "lastModified": 1765156605,
+        "narHash": "sha256-dH66lgYsikQlCVs+Vf6qaVAKaS8+fWX8qwvk5XOSELA=",
         "owner": "numtide",
         "repo": "srvos",
-        "rev": "0ed5a0abca19cb199796e77180499cb9b6cca493",
+        "rev": "eab576cec5e21e0ab7767b2542e833edfdc17283",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 210d995..98bc8dd 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,6 +2,7 @@
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-unstable-helsinki.url = "github:helsinki-systems/nixpkgs/feat/nix-daemon-firewall";
     # Why?
     flake-parts.url = "github:hercules-ci/flake-parts";
     flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
@@ -33,7 +34,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     infra = {
-      url = "github:nixos/infra";
+      url = "github:helsinki-systems/nixos-infra/upd/queue-runner";
       inputs = {
         nixpkgs.follows = "nixpkgs";
         nixpkgs-unstable.follows = "nixpkgs-unstable";
diff --git a/macs/module/hydra-queue-builder.nix b/macs/module/hydra-queue-builder.nix
index ab5207b..5412c17 100644
--- a/macs/module/hydra-queue-builder.nix
+++ b/macs/module/hydra-queue-builder.nix
@@ -224,7 +224,7 @@ in
       users.hydra-queue-builder = {
         uid = lib.mkDefault 535;
         gid = lib.mkDefault config.users.groups.hydra.gid;
-        home = lib.mkDefault "/var/lib/hydra-queue-builder";
+        home = "/private/var/lib/hydra-queue-builder";
         shell = "/bin/bash";
         description = "hydra-queue-builder service user";
       };
diff --git a/non-critical-infra/hosts/build04.ofborg.org/default.nix b/non-critical-infra/hosts/build04.ofborg.org/default.nix
index 85e87ec..7041cfa 100644
--- a/non-critical-infra/hosts/build04.ofborg.org/default.nix
+++ b/non-critical-infra/hosts/build04.ofborg.org/default.nix
@@ -45,7 +45,9 @@
   services.hydra-queue-builder-v2 = {
     enable = true;
     queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org";
-    maxJobs = 2;
+    maxJobs = 4;
+    supportedFeatures = [ "fod-checker" ];
+    mandatoryFeatures = [ "fod-checker" ];
     mtls = {
       serverRootCaCertPath = "${inputs.infra}/non-critical-infra/hosts/staging-hydra/ca.crt";
       clientCertPath = "${./client.crt}";
diff --git a/non-critical-infra/hosts/eval04.ofborg.org/default.nix b/non-critical-infra/hosts/eval04.ofborg.org/default.nix
index ae9f7bd..abdc5bc 100644
--- a/non-critical-infra/hosts/eval04.ofborg.org/default.nix
+++ b/non-critical-infra/hosts/eval04.ofborg.org/default.nix
@@ -47,7 +47,9 @@
   services.hydra-queue-builder-v2 = {
     enable = true;
     queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org";
-    maxJobs = 2;
+    maxJobs = 4;
+    supportedFeatures = [ "fod-checker" ];
+    mandatoryFeatures = [ "fod-checker" ];
     mtls = {
       serverRootCaCertPath = "${inputs.infra}/non-critical-infra/hosts/staging-hydra/ca.crt";
       clientCertPath = "${./client.crt}";
diff --git a/non-critical-infra/modules/ofborg/common.nix b/non-critical-infra/modules/ofborg/common.nix
index 55efedb..557b11f 100644
--- a/non-critical-infra/modules/ofborg/common.nix
+++ b/non-critical-infra/modules/ofborg/common.nix
@@ -5,9 +5,27 @@
     "${inputs.infra}/modules/common.nix"
     "${inputs.infra}/non-critical-infra/modules/common.nix"
     ./ofborg-config.nix
+    "${inputs.nixpkgs-unstable-helsinki}/nixos/modules/services/system/nix-daemon-firewall.nix"
   ];
 
-  nix.gc.automatic = true;
+  nix = {
+    gc.automatic = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        21 # access to ftp files
+        22 # fetchGit
+        34
+        "http"
+        443
+        "30000-31000"
+      ];
+      allowedUDPPorts = [
+        53 # DNS
+        443 # QUIC/HTTP3
+      ];
+    };
+  };
 
   # TODO wire up exporters
   # TODO loki