diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 676b60bce4bb687695252878049fbd1e0fd9ad52..382b2ee6cb1230bf9b37a75a68c3926b136012fb 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -119,6 +119,8 @@ in {
       # list.
       domain = builtins.head cfg.domains;
       certServiceName = "acme-${domain}";
+      # Payment server internal http port (arbitrary, non-priviledged):
+      internalHttpPort = "1061";
 
     in lib.mkIf cfg.enable {
     # Add a systemd service to run PaymentServer.
@@ -165,8 +167,7 @@ in {
             if cfg.database == "Memory"
               then "--database Memory"
               else "--database SQLite3 --database-path ${cfg.databasePath}";
-          # Arbitrary non-priviledged port:
-          httpArgs = "--http-port 1061";
+          httpArgs = "--http-port ${internalHttpPort}";
 
           prefixOption = s: "--cors-origin=" + s;
           originStrings = map prefixOption cfg.allowedChargeOrigins;
@@ -206,7 +207,7 @@ in {
         enableACME = cfg.tls;
         forceSSL = cfg.tls;
         locations."/" = {
-          proxyPass = "http://127.0.0.1:1061";
+          proxyPass = "http://127.0.0.1:${internalHttpPort}";
         };
         locations."/metrics" = {
           # Only allow our monitoringvpn subnet
@@ -214,7 +215,7 @@ in {
             allow 172.23.23.0/24;
             deny all;
           '';
-          proxyPass = "http://127.0.0.1:1061";
+          proxyPass = "http://127.0.0.1:${internalHttpPort}";
         };
       };
     };