{
  universal.modules = [
    {
      networking.firewall.enable = true;
      networking.nftables.enable = true;
    }
  ];

  fructose.modules = [
    {
      networking.firewall = {
        allowedUDPPorts = [ ];
        allowedTCPPorts = [
          3000 # forgejo http
          222 # forgejo ssh
        ];
      };
    }
  ];

  glucose.modules = [
    {
      networking.firewall = {
        allowedTCPPorts = [
          64738 # murmur tcp
        ];
        allowedUDPPorts = [
          64738 # murmur udp
        ];
      };
    }
  ];

  aspartame.modules = [
    ({
      services.fail2ban.enable = true;
      networking.firewall = {
        interfaces.eth0.allowedTCPPorts = [
          80
          222 # forgejo ssh
          443
          64738 # murmur tcp
        ];
        interfaces.eth0.allowedUDPPorts = [
          64738 # murmur udp
        ];
      };
    })
  ];
}