diff --git a/hw/straylight/default.nix b/hw/straylight/default.nix
index 7a44f76..01fff55 100644
--- a/hw/straylight/default.nix
+++ b/hw/straylight/default.nix
@@ -5,16 +5,27 @@
     ../../configs/desktop.nix
     ../../configs/qemu.nix
     ../../configs/mcpkg.nix
+    ../../configs/mcp.nix # MCP agent + mcp user (straylight is becoming the core host)
   ];
 
-  # DNS: MCNS for internal zones, public resolvers as fallback.
-  networking.nameservers = [
-    "192.168.88.181"
-    "100.95.252.120"
-    "1.1.1.1"
-    "8.8.8.8"
-  ];
-  services.resolved.domains = [
-    "~mcp.metacircular.net"
-  ];
+  config = {
+    # Allow rootless containers (podman) to bind low ports (53 for MCNS,
+    # 443/8443/9443 for mc-proxy) as straylight takes over the core role.
+    boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 53;
+
+    # Open ports: DNS (53), mc-proxy (443/8443/9443), agent (9444), master (9555).
+    networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 9444 9555 ];
+    networking.firewall.allowedUDPPorts = [ 53 ];
+
+    # DNS: MCNS for internal zones, public resolvers as fallback.
+    networking.nameservers = [
+      "192.168.88.181"
+      "100.95.252.120"
+      "1.1.1.1"
+      "8.8.8.8"
+    ];
+    services.resolved.domains = [
+      "~mcp.metacircular.net"
+    ];
+  };
 }