{
  universal.modules = [
    {
      networking.firewall.enable = true;
      networking.nftables.enable = true;
    }
  ];
  fructose.modules = [
    {
      networking.firewall = {
        allowedUDPPorts = [
          #    53 # pihole
          #    5894 # couchdb
        ];
        allowedTCPPorts = [
          3000 # forgejo
          #    5894 # couchdb
        ];
      };
    }
  ];
}