diff --git a/configuration/default.nix b/configuration/default.nix
index 2b8a16f..6f73f54 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -49,6 +49,39 @@
   networking = {
     usePredictableInterfaceNames = false;
     useDHCP = false;
+
+    firewall = {
+      allowedTCPPorts = [
+        # http
+        80
+        443
+        # ssh
+        2222
+        # matrix
+        8448
+        # starbound
+        21025
+
+        config.services.coturn.listening-port
+        config.services.coturn.tls-listening-port
+        config.services.coturn.alt-listening-port
+        config.services.coturn.alt-tls-listening-port
+      ];
+
+      allowedUDPPorts = [
+        config.services.coturn.listening-port
+        config.services.coturn.tls-listening-port
+        config.services.coturn.alt-listening-port
+        config.services.coturn.alt-tls-listening-port
+      ];
+
+      allowedUDPPortRanges = [
+        {
+          from = config.services.coturn.min-port;
+          to = config.services.coturn.max-port;
+        }
+      ];
+    };
   };
 
   systemd.network.enable = true;
diff --git a/configuration/nginx/logging.nix b/configuration/nginx/logging.nix
index e41bfae..aa533c3 100644
--- a/configuration/nginx/logging.nix
+++ b/configuration/nginx/logging.nix
@@ -121,18 +121,12 @@ in
           };
 
           testScript = ''
-            import time
-
             start_all()
 
             testHost.wait_for_unit("nginx.service")
             client.succeed("curl --max-time 10 http://testHost")
-
-            # Wait a bit for the prometheus exporter to scrape our logs
-            time.sleep(5)
-
             res = testHost.succeed("curl localhost:${builtins.toString config.services.prometheus.exporters.nginxlog.port}/metrics")
-            assert 'nginxlog_http_response_count_total{method="GET",status="200",vhost="testHost"} 1' in res, res
+            assert 'nginxlog_http_response_count_total{method="GET",status="200",vhost="testHost"} 1' in res
           '';
         };
       };
diff --git a/configuration/services/conduit/default.nix b/configuration/services/conduit/default.nix
index b6f8f27..6e01e81 100644
--- a/configuration/services/conduit/default.nix
+++ b/configuration/services/conduit/default.nix
@@ -17,36 +17,6 @@ in
     ./matrix-hookshot.nix
   ];
 
-  networking.firewall = {
-    allowedTCPPorts = [
-      # These are for "normal" clients
-      80
-      443
-
-      # Federation happens on 8448
-      8448
-
-      config.services.coturn.listening-port
-      config.services.coturn.tls-listening-port
-      config.services.coturn.alt-listening-port
-      config.services.coturn.alt-tls-listening-port
-    ];
-
-    allowedUDPPorts = [
-      config.services.coturn.listening-port
-      config.services.coturn.tls-listening-port
-      config.services.coturn.alt-listening-port
-      config.services.coturn.alt-tls-listening-port
-    ];
-
-    allowedUDPPortRanges = [
-      {
-        from = config.services.coturn.min-port;
-        to = config.services.coturn.max-port;
-      }
-    ];
-  };
-
   services = {
     matrix-conduit = {
       enable = true;
diff --git a/configuration/services/foundryvtt.nix b/configuration/services/foundryvtt.nix
index 5c8a21f..6c475a3 100644
--- a/configuration/services/foundryvtt.nix
+++ b/configuration/services/foundryvtt.nix
@@ -11,11 +11,6 @@ in
 {
   imports = [ flake-inputs.foundryvtt.nixosModules.foundryvtt ];
 
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
   services = {
     foundryvtt = {
       enable = true;
diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index b4dd719..613d30c 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -8,11 +8,6 @@ let
   domain = "gitea.${config.services.nginx.domain}";
 in
 {
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
   services = {
     forgejo = {
       enable = true;
diff --git a/configuration/services/immich.nix b/configuration/services/immich.nix
index 39673d0..516ea3e 100644
--- a/configuration/services/immich.nix
+++ b/configuration/services/immich.nix
@@ -8,11 +8,6 @@ let
   hostName = "immich.${config.services.nginx.domain}";
 in
 {
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
   services = {
     immich = {
       enable = true;
diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix
index 765a364..f4b6956 100644
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@@ -3,11 +3,6 @@ let
   domain = "metrics.${config.services.nginx.domain}";
 in
 {
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
   services.grafana = {
     enable = true;
     settings = {
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index 77cfa4c..ef2a6ac 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -9,11 +9,6 @@ let
   hostName = "nextcloud.${config.services.nginx.domain}";
 in
 {
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
   services = {
     nextcloud = {
       inherit hostName;
diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix
index 6b97471..a667b57 100644
--- a/configuration/services/starbound.nix
+++ b/configuration/services/starbound.nix
@@ -8,8 +8,6 @@ let
   inherit (lib) concatStringsSep;
 in
 {
-  networking.firewall.allowedTCPPorts = [ 21025 ];
-
   # Sadly, steam-run requires some X libs
   environment.noXlibs = false;
 
diff --git a/configuration/services/webserver.nix b/configuration/services/webserver.nix
index 8f08e4f..864f6c0 100644
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@@ -3,11 +3,6 @@ let
   inherit (config.services.nginx) domain;
 in
 {
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
   services.tlaternet-webserver = {
     enable = true;
     listen = {