diff --git a/configuration/default.nix b/configuration/default.nix
index 6f73f54..08b63a1 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -1,9 +1,4 @@
-{
-  config,
-  modulesPath,
-  flake-inputs,
-  ...
-}:
+{ modulesPath, flake-inputs, ... }:
 {
   imports = [
     flake-inputs.disko.nixosModules.disko
@@ -49,39 +44,6 @@
   networking = {
     usePredictableInterfaceNames = false;
     useDHCP = false;
-
-    firewall = {
-      allowedTCPPorts = [
-        # http
-        80
-        443
-        # ssh
-        2222
-        # matrix
-        8448
-        # starbound
-        21025
-
-        config.services.coturn.listening-port
-        config.services.coturn.tls-listening-port
-        config.services.coturn.alt-listening-port
-        config.services.coturn.alt-tls-listening-port
-      ];
-
-      allowedUDPPorts = [
-        config.services.coturn.listening-port
-        config.services.coturn.tls-listening-port
-        config.services.coturn.alt-listening-port
-        config.services.coturn.alt-tls-listening-port
-      ];
-
-      allowedUDPPortRanges = [
-        {
-          from = config.services.coturn.min-port;
-          to = config.services.coturn.max-port;
-        }
-      ];
-    };
   };
 
   systemd.network.enable = true;
diff --git a/configuration/services/conduit/default.nix b/configuration/services/conduit/default.nix
index 6e01e81..b6f8f27 100644
--- a/configuration/services/conduit/default.nix
+++ b/configuration/services/conduit/default.nix
@@ -17,6 +17,36 @@ in
     ./matrix-hookshot.nix
   ];
 
+  networking.firewall = {
+    allowedTCPPorts = [
+      # These are for "normal" clients
+      80
+      443
+
+      # Federation happens on 8448
+      8448
+
+      config.services.coturn.listening-port
+      config.services.coturn.tls-listening-port
+      config.services.coturn.alt-listening-port
+      config.services.coturn.alt-tls-listening-port
+    ];
+
+    allowedUDPPorts = [
+      config.services.coturn.listening-port
+      config.services.coturn.tls-listening-port
+      config.services.coturn.alt-listening-port
+      config.services.coturn.alt-tls-listening-port
+    ];
+
+    allowedUDPPortRanges = [
+      {
+        from = config.services.coturn.min-port;
+        to = config.services.coturn.max-port;
+      }
+    ];
+  };
+
   services = {
     matrix-conduit = {
       enable = true;
diff --git a/configuration/services/foundryvtt.nix b/configuration/services/foundryvtt.nix
index 6c475a3..5c8a21f 100644
--- a/configuration/services/foundryvtt.nix
+++ b/configuration/services/foundryvtt.nix
@@ -11,6 +11,11 @@ in
 {
   imports = [ flake-inputs.foundryvtt.nixosModules.foundryvtt ];
 
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   services = {
     foundryvtt = {
       enable = true;
diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index 613d30c..b4dd719 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -8,6 +8,11 @@ let
   domain = "gitea.${config.services.nginx.domain}";
 in
 {
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   services = {
     forgejo = {
       enable = true;
diff --git a/configuration/services/immich.nix b/configuration/services/immich.nix
index 516ea3e..39673d0 100644
--- a/configuration/services/immich.nix
+++ b/configuration/services/immich.nix
@@ -8,6 +8,11 @@ let
   hostName = "immich.${config.services.nginx.domain}";
 in
 {
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   services = {
     immich = {
       enable = true;
diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix
index f4b6956..765a364 100644
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@@ -3,6 +3,11 @@ let
   domain = "metrics.${config.services.nginx.domain}";
 in
 {
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   services.grafana = {
     enable = true;
     settings = {
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index ef2a6ac..77cfa4c 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -9,6 +9,11 @@ let
   hostName = "nextcloud.${config.services.nginx.domain}";
 in
 {
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   services = {
     nextcloud = {
       inherit hostName;
diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix
index a667b57..6b97471 100644
--- a/configuration/services/starbound.nix
+++ b/configuration/services/starbound.nix
@@ -8,6 +8,8 @@ let
   inherit (lib) concatStringsSep;
 in
 {
+  networking.firewall.allowedTCPPorts = [ 21025 ];
+
   # Sadly, steam-run requires some X libs
   environment.noXlibs = false;
 
diff --git a/configuration/services/webserver.nix b/configuration/services/webserver.nix
index 864f6c0..8f08e4f 100644
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@@ -3,6 +3,11 @@ let
   inherit (config.services.nginx) domain;
 in
 {
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   services.tlaternet-webserver = {
     enable = true;
     listen = {