diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
index 8a75f2f..c7cd1ae 100644
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@@ -25,6 +25,27 @@ let
           If set, inbound connections to this port are tagged as onion peers.
         '';
       };
+      listen = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Listen for peer connections at `address:port`
+          and `address:onionPort` (if `onionPort` is set).
+        '';
+      };
+      listenWhitelisted = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Listen for peer connections at `address:whitelistedPort`.
+          Peers connected through this socket are automatically whitelisted.
+        '';
+      };
+      whitelistedPort = mkOption {
+        type = types.port;
+        default = 8335;
+        description = "See `listenWhitelisted`.";
+      };
       getPublicAddressCmd = mkOption {
         type = types.str;
         default = "";
@@ -147,11 +168,6 @@ let
           With `only-outgoing`, incoming i2p connections are disabled.
         '';
       };
-      listen = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Accept incoming connections.";
-      };
       dataDirReadableByGroup = mkOption {
         type = types.bool;
         default = false;
@@ -273,15 +289,17 @@ let
     ${optionalString (cfg.assumevalid != null) "assumevalid=${cfg.assumevalid}"}
 
     # Connection options
+    listen=${if (cfg.listen || cfg.listenWhitelisted) then "1" else "0"}
     ${optionalString cfg.listen
       "bind=${cfg.address}:${toString cfg.port}"}
     ${optionalString (cfg.listen && cfg.onionPort != null)
       "bind=${cfg.address}:${toString cfg.onionPort}=onion"}
+    ${optionalString cfg.listenWhitelisted
+      "whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
     ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
     ${optionalString (cfg.i2p != false) "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"}
     ${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"}
 
-    listen=${if cfg.listen then "1" else "0"}
     ${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"}
     ${lib.concatMapStrings (node: "addnode=${node}\n") cfg.addnodes}
 
diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix
index 4a95900..15bbfe8 100644
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@@ -116,18 +116,13 @@ in {
           "getpeerinfo"
         ];
       };
-      # Enable p2p connections
-      listen = true;
-      extraConfig = ''
-        whitelist=download@${nbLib.address cfg.nbxplorer.address}
-      '';
+      listenWhitelisted = true;
     };
     services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
     services.lnd.enable = mkIf (cfg.btcpayserver.lightningBackend == "lnd") true;
     services.liquidd = mkIf cfg.btcpayserver.lbtc {
       enable = true;
-      # Enable p2p connections
-      listen = true;
+      listenWhitelisted = true;
     };
 
     services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
@@ -154,14 +149,14 @@ in {
         network=${bitcoind.network}
         btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
         btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port}
-        btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.port}
+        btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort}
         bind=${cfg.nbxplorer.address}
         port=${toString cfg.nbxplorer.port}
         ${optionalString cfg.btcpayserver.lbtc ''
           chains=btc,lbtc
           lbtcrpcuser=${liquidd.rpcuser}
           lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port}
-          lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.port}
+          lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address bitcoind.whitelistedPort}
         ''}
       '';
     in {
diff --git a/modules/electrs.nix b/modules/electrs.nix
index 8072ef9..3dee769 100644
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@@ -58,9 +58,7 @@ in {
 
     services.bitcoind = {
       enable = true;
-      # Enable p2p connections
-      listen = true;
-      extraConfig = "whitelist=download@${nbLib.address cfg.address}";
+      listenWhitelisted = true;
     };
 
     systemd.tmpfiles.rules = [
@@ -88,7 +86,7 @@ in {
           --electrum-rpc-addr=${cfg.address}:${toString cfg.port} \
           --monitoring-addr=${cfg.address}:${toString cfg.monitoringPort} \
           --daemon-rpc-addr=${nbLib.addressWithPort bitcoind.rpc.address bitcoind.rpc.port} \
-          --daemon-p2p-addr=${nbLib.addressWithPort bitcoind.address bitcoind.port} \
+          --daemon-p2p-addr=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort} \
           ${cfg.extraArgs}
         '';
         User = cfg.user;
diff --git a/modules/liquid.nix b/modules/liquid.nix
index 86ac93f..36abe7e 100644
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@@ -25,6 +25,27 @@ let
           If set, inbound connections to this port are tagged as onion peers.
         '';
       };
+      listen = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Listen for peer connections at `address:port`
+          and `address:onionPort` (if `onionPort` is set).
+        '';
+      };
+      listenWhitelisted = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Listen for peer connections at `address:whitelistedPort`.
+          Peers connected through this socket are automatically whitelisted.
+        '';
+      };
+      whitelistedPort = mkOption {
+        type = types.port;
+        default = 7044;
+        description = "See `listenWhitelisted`.";
+      };
       extraConfig = mkOption {
         type = types.lines;
         default = "";
@@ -80,13 +101,6 @@ let
         default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
         description = "Connect through SOCKS5 proxy";
       };
-      listen = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          If enabled, the liquid service will listen.
-        '';
-      };
       dbCache = mkOption {
         type = types.nullOr (types.ints.between 4 16384);
         default = null;
@@ -163,12 +177,14 @@ let
     ${optionalString (cfg.validatepegin != null) "validatepegin=${if cfg.validatepegin then "1" else "0"}"}
 
     # Connection options
+    listen=${if (cfg.listen || cfg.listenWhitelisted) then "1" else "0"}
     ${optionalString cfg.listen
       "bind=${cfg.address}:${toString cfg.port}"}
     ${optionalString (cfg.listen && cfg.onionPort != null)
       "bind=${cfg.address}:${toString cfg.onionPort}=onion"}
+    ${optionalString cfg.listenWhitelisted
+      "whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
     ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
-    listen=${if cfg.listen then "1" else "0"}
 
     # RPC server options
     rpcport=${toString cfg.rpc.port}