{
  universal.modules = [
    {
      networking.firewall.enable = true;
      networking.nftables.enable = true;
    }
  ];

  fructose.modules = [
    {
      networking.firewall = {
        allowedUDPPorts = [ ];
        allowedTCPPorts = [
          3000 # forgejo http
          222 # forgejo ssh
        ];
      };
    }
  ];

  aspartame.modules = [
    ({
      services.fail2ban.enable = true;
      networking.firewall = {
        interfaces.eth0.allowedTCPPorts = [
          80
          222 # this is for forgejo
          443
          64783 # this is for murmur
        ];
      };
    })
  ];
}