Move nginx firewall ports

configuration/default.nix

@@ -207,8 +207,6 @@ in {
 			})
 		];
 
-		networking.firewall.allowedTCPPorts = [ 80 443 ];
-
 		services.borgbackup.jobs.system = {
 			paths = "/";
 			exclude = [
@@ -275,8 +273,6 @@ in {
 
 		users.groups.git = {};
 
-		networking.firewall.allowedTCPPorts = [ 80 443 ];
-
 		# NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks
 		# systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap";
 		

configuration/lib/nginx.nix

@@ -14,4 +14,9 @@ hosts: { lib, ... }:
 				};
 			} // mapMkMerge hosts;
 		};
+
+		networking.firewall.allowedTCPPorts = [
+			80  # HTTP
+			443 # HTTPS
+		];
 	}