diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index 00065052805eee80cd6302295ade199c08ac4d57..dc83150f12b5bb04225db7b64c497135557f02cc 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -33,6 +33,22 @@ in
         The package to use for the Tahoe-LAFS daemon.
       '';
     };
+    services.private-storage.publicIPv4 = lib.mkOption
+    { default = "127.0.0.1";
+      type = lib.types.str;
+      example = lib.literalExample "192.0.2.0";
+      description = ''
+        An IPv4 address to advertise for this storage service.
+      '';
+    };
+    services.private-storage.publicStoragePort = lib.mkOption
+    { default = 8898;
+      type = lib.types.int;
+      example = lib.literalExample 8098;
+      description = ''
+        The port number on which to service storage clients.
+      '';
+    };
   };
   config = lib.mkIf cfg.enable
   { services.tahoe.nodes."storage" =
@@ -42,6 +58,8 @@ in
         # XXX Should try to name that is unique across the grid.
         { nickname = "storage";
           "web.port" = "tcp:3456:interface=127.0.0.1";
+          "tub.port" = "tcp:${toString cfg.publicStoragePort}";
+          "tub.location" = "tcp:${cfg.publicIPv4}:${toString cfg.publicStoragePort}";
         };
         storage =
         { enabled = true;
@@ -52,5 +70,7 @@ in
         };
       };
     };
+    networking.firewall.allowedTCPPorts = [ cfg.publicStoragePort ];
+
   };
 }