diff --git a/configuration/default.nix b/configuration/default.nix
index d334cb0..5e15923 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -207,8 +207,6 @@ in {
 			})
 		];
 
-		networking.firewall.allowedTCPPorts = [ 80 443 ];
-
 		services.borgbackup.jobs.system = {
 			paths = "/";
 			exclude = [
@@ -275,8 +273,6 @@ in {
 
 		users.groups.git = {};
 
-		networking.firewall.allowedTCPPorts = [ 80 443 ];
-
 		# NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks
 		# systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap";
 		
diff --git a/configuration/lib/nginx.nix b/configuration/lib/nginx.nix
index 7df93ce..fd242cc 100644
--- a/configuration/lib/nginx.nix
+++ b/configuration/lib/nginx.nix
@@ -14,4 +14,9 @@ hosts: { lib, ... }:
 				};
 			} // mapMkMerge hosts;
 		};
+
+		networking.firewall.allowedTCPPorts = [
+			80  # HTTP
+			443 # HTTPS
+		];
 	}