diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix
index 1716c7c..d42b492 100644
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@@ -105,6 +105,11 @@ in {
           connections = [ "bitcoind" ]
           ++ ( optionals config.services.electrs.TLSProxy.enable [ "nginx" ]);
         };
+        spark-wallet = {
+          id = 17;
+          # communicates with clightning over lightning-rpc socket
+          connections = [];
+        };
       };
 
       systemd.services = {
@@ -252,6 +257,12 @@ in {
         daemonrpc = "${netns.bitcoind.address}:${toString config.services.bitcoind.rpc.port}";
       };
 
+      # spark-wallet: Custom netns configs
+      services.spark-wallet = mkIf config.services.spark-wallet.enable {
+        host = netns.spark-wallet.address;
+        extraArgs = "--no-tls";
+      };
+
     })
     # Custom netns config option values if netns-isolation not enabled
     (mkIf (!cfg.enable) {
diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix
index d3fcf08..983d8fb 100644
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@@ -122,7 +122,10 @@ in {
       toHost = cfg.electrs.host;
     };
 
-    services.spark-wallet.onion-service = true;
+    services.spark-wallet = {
+      onion-service = true;
+      enforceTor = true;
+    };
 
     services.nix-bitcoin-webindex.enforceTor = true;
 
diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix
index 477bdfd..5887eb0 100644
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@@ -7,7 +7,7 @@ let
   inherit (config) nix-bitcoin-services;
   onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []);
   run-spark-wallet = pkgs.writeScript "run-spark-wallet" ''
-    CMD="${pkgs.nix-bitcoin.spark-wallet}/bin/spark-wallet --ln-path ${cfg.ln-path} -Q -k -c ${config.nix-bitcoin.secretsDir}/spark-wallet-login"
+    CMD="${pkgs.nix-bitcoin.spark-wallet}/bin/spark-wallet --ln-path ${cfg.ln-path} --host ${cfg.host} -Q -k -c ${config.nix-bitcoin.secretsDir}/spark-wallet-login ${cfg.extraArgs}"
     ${optionalString cfg.onion-service
       ''
       echo Getting onion hostname
@@ -29,6 +29,11 @@ in {
         If enabled, the spark-wallet service will be installed.
       '';
     };
+    host = mkOption {
+      type = types.str;
+      default = "localhost";
+      description = "http(s) server listen address.";
+    };
     ln-path = mkOption {
       type = types.path;
       default = "${config.services.clightning.dataDir}/bitcoin";
@@ -43,6 +48,12 @@ in {
         "If enabled, configures spark-wallet to be reachable through an onion service.";
       '';
     };
+    extraArgs = mkOption {
+      type = types.separatedString " ";
+      default = "";
+      description = "Extra command line arguments passed to spark-wallet.";
+    };
+    enforceTor =  nix-bitcoin-services.enforceTor;
   };
 
   config = mkIf cfg.enable {
@@ -65,7 +76,7 @@ in {
     services.tor.client.enable = true;
     services.tor.hiddenServices.spark-wallet = mkIf cfg.onion-service {
       map = [{
-        port = 80; toPort = 9737;
+        port = 80; toPort = 9737; toHost = cfg.host;
       }];
       version = 3;
     };
@@ -82,8 +93,10 @@ in {
         Restart = "on-failure";
         RestartSec = "10s";
         ReadWritePaths = "/var/lib/onion-chef";
-      } // nix-bitcoin-services.nodejs
-        // nix-bitcoin-services.allowTor;
+      } // (if cfg.enforceTor
+            then nix-bitcoin-services.allowTor
+            else nix-bitcoin-services.allowAnyIP)
+        // nix-bitcoin-services.nodejs;
     };
     nix-bitcoin.secrets.spark-wallet-login.user = "spark-wallet";
   };