refactor(firewall): Make services responsible for opening ports

configuration/default.nix

@@ -1,9 +1,4 @@
-{
-  config,
-  modulesPath,
-  flake-inputs,
-  ...
-}:
+{ modulesPath, flake-inputs, ... }:
 {
   imports = [
     flake-inputs.disko.nixosModules.disko
@@ -49,39 +44,6 @@
   networking = {
     usePredictableInterfaceNames = false;
     useDHCP = false;
-
-    firewall = {
-      allowedTCPPorts = [
-        # http
-        80
-        443
-        # ssh
-        2222
-        # matrix
-        8448
-        # starbound
-        21025
-
-        config.services.coturn.listening-port
-        config.services.coturn.tls-listening-port
-        config.services.coturn.alt-listening-port
-        config.services.coturn.alt-tls-listening-port
-      ];
-
-      allowedUDPPorts = [
-        config.services.coturn.listening-port
-        config.services.coturn.tls-listening-port
-        config.services.coturn.alt-listening-port
-        config.services.coturn.alt-tls-listening-port
-      ];
-
-      allowedUDPPortRanges = [
-        {
-          from = config.services.coturn.min-port;
-          to = config.services.coturn.max-port;
-        }
-      ];
-    };
   };
 
   systemd.network.enable = true;

configuration/services/conduit/default.nix

@@ -17,6 +17,36 @@ in
     ./matrix-hookshot.nix
   ];
 
+  networking.firewall = {
+    allowedTCPPorts = [
+      # These are for "normal" clients
+      80
+      443
+
+      # Federation happens on 8448
+      8448
+
+      config.services.coturn.listening-port
+      config.services.coturn.tls-listening-port
+      config.services.coturn.alt-listening-port
+      config.services.coturn.alt-tls-listening-port
+    ];
+
+    allowedUDPPorts = [
+      config.services.coturn.listening-port
+      config.services.coturn.tls-listening-port
+      config.services.coturn.alt-listening-port
+      config.services.coturn.alt-tls-listening-port
+    ];
+
+    allowedUDPPortRanges = [
+      {
+        from = config.services.coturn.min-port;
+        to = config.services.coturn.max-port;
+      }
+    ];
+  };
+
   services = {
     matrix-conduit = {
       enable = true;

configuration/services/foundryvtt.nix

@@ -11,6 +11,11 @@ in
 {
   imports = [ flake-inputs.foundryvtt.nixosModules.foundryvtt ];
 
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   services = {
     foundryvtt = {
       enable = true;

configuration/services/gitea.nix

@@ -8,6 +8,11 @@ let
   domain = "gitea.${config.services.nginx.domain}";
 in
 {
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   services = {
     forgejo = {
       enable = true;

configuration/services/immich.nix

@@ -8,6 +8,11 @@ let
   hostName = "immich.${config.services.nginx.domain}";
 in
 {
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   services = {
     immich = {
       enable = true;

configuration/services/metrics/grafana.nix

@@ -3,6 +3,11 @@ let
   domain = "metrics.${config.services.nginx.domain}";
 in
 {
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   services.grafana = {
     enable = true;
     settings = {

configuration/services/nextcloud.nix

@@ -9,6 +9,11 @@ let
   hostName = "nextcloud.${config.services.nginx.domain}";
 in
 {
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   services = {
     nextcloud = {
       inherit hostName;

configuration/services/starbound.nix

@@ -8,6 +8,8 @@ let
   inherit (lib) concatStringsSep;
 in
 {
+  networking.firewall.allowedTCPPorts = [ 21025 ];
+
   # Sadly, steam-run requires some X libs
   environment.noXlibs = false;
 

configuration/services/webserver.nix

@@ -3,6 +3,11 @@ let
   inherit (config.services.nginx) domain;
 in
 {
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   services.tlaternet-webserver = {
     enable = true;
     listen = {