test(nginx): Add simple tests to assert nginx features work

configuration/default.nix

@@ -49,6 +49,39 @@
   networking = {
     usePredictableInterfaceNames = false;
     useDHCP = false;
+
+    firewall = {
+      allowedTCPPorts = [
+        # http
+        80
+        443
+        # ssh
+        2222
+        # matrix
+        8448
+        # starbound
+        21025
+
+        config.services.coturn.listening-port
+        config.services.coturn.tls-listening-port
+        config.services.coturn.alt-listening-port
+        config.services.coturn.alt-tls-listening-port
+      ];
+
+      allowedUDPPorts = [
+        config.services.coturn.listening-port
+        config.services.coturn.tls-listening-port
+        config.services.coturn.alt-listening-port
+        config.services.coturn.alt-tls-listening-port
+      ];
+
+      allowedUDPPortRanges = [
+        {
+          from = config.services.coturn.min-port;
+          to = config.services.coturn.max-port;
+        }
+      ];
+    };
   };
 
   systemd.network.enable = true;

configuration/nginx/logging.nix

@@ -121,18 +121,12 @@ in
           };
 
           testScript = ''
-            import time
-
             start_all()
 
             testHost.wait_for_unit("nginx.service")
             client.succeed("curl --max-time 10 http://testHost")
-
-            # Wait a bit for the prometheus exporter to scrape our logs
-            time.sleep(5)
-
             res = testHost.succeed("curl localhost:${builtins.toString config.services.prometheus.exporters.nginxlog.port}/metrics")
-            assert 'nginxlog_http_response_count_total{method="GET",status="200",vhost="testHost"} 1' in res, res
+            assert 'nginxlog_http_response_count_total{method="GET",status="200",vhost="testHost"} 1' in res
           '';
         };
       };

configuration/services/conduit/default.nix

@@ -17,36 +17,6 @@ in
     ./matrix-hookshot.nix
   ];
 
-  networking.firewall = {
-    allowedTCPPorts = [
-      # These are for "normal" clients
-      80
-      443
-
-      # Federation happens on 8448
-      8448
-
-      config.services.coturn.listening-port
-      config.services.coturn.tls-listening-port
-      config.services.coturn.alt-listening-port
-      config.services.coturn.alt-tls-listening-port
-    ];
-
-    allowedUDPPorts = [
-      config.services.coturn.listening-port
-      config.services.coturn.tls-listening-port
-      config.services.coturn.alt-listening-port
-      config.services.coturn.alt-tls-listening-port
-    ];
-
-    allowedUDPPortRanges = [
-      {
-        from = config.services.coturn.min-port;
-        to = config.services.coturn.max-port;
-      }
-    ];
-  };
-
   services = {
     matrix-conduit = {
       enable = true;

configuration/services/foundryvtt.nix

@@ -11,11 +11,6 @@ in
 {
   imports = [ flake-inputs.foundryvtt.nixosModules.foundryvtt ];
 
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
   services = {
     foundryvtt = {
       enable = true;

configuration/services/gitea.nix

@@ -8,11 +8,6 @@ let
   domain = "gitea.${config.services.nginx.domain}";
 in
 {
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
   services = {
     forgejo = {
       enable = true;

configuration/services/immich.nix

@@ -8,11 +8,6 @@ let
   hostName = "immich.${config.services.nginx.domain}";
 in
 {
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
   services = {
     immich = {
       enable = true;

configuration/services/metrics/grafana.nix

@@ -3,11 +3,6 @@ let
   domain = "metrics.${config.services.nginx.domain}";
 in
 {
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
   services.grafana = {
     enable = true;
     settings = {

configuration/services/nextcloud.nix

@@ -9,11 +9,6 @@ let
   hostName = "nextcloud.${config.services.nginx.domain}";
 in
 {
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
   services = {
     nextcloud = {
       inherit hostName;

configuration/services/starbound.nix

@@ -8,8 +8,6 @@ let
   inherit (lib) concatStringsSep;
 in
 {
-  networking.firewall.allowedTCPPorts = [ 21025 ];
-
   # Sadly, steam-run requires some X libs
   environment.noXlibs = false;
 

configuration/services/webserver.nix

@@ -3,11 +3,6 @@ let
   inherit (config.services.nginx) domain;
 in
 {
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
   services.tlaternet-webserver = {
     enable = true;
     listen = {