{
  universal.modules = [
    ({
      networking.firewall.enable = true;
      networking.nftables.enable = true;
    })
    ({lib, config, ...}: lib.mkIf (
      config.networking.hostName != "aspartame" # open ports for data collection on everything EXCEPT aspartame, as that would be stupid, considering it is literally public facing. TODO: set up prometheus authentication, perhaps with a certificate. -e
    ) 
    {
      networking.firewall = {
        allowedTCPPorts = [
          6703
        ];
        allowedUDPPorts = [
          6703
        ];
      };
    })
  ];

  fructose.modules = [
    {
      networking.firewall = {
        allowedUDPPorts = [];
        allowedTCPPorts = [
          3000 # forgejo http
          222 # forgejo ssh
        ];
      };
    }
  ];

  glucose.modules = [
    {
      networking.firewall = {
        allowedTCPPorts = [
          64738 # murmur tcp
          6700 # grafana
          6750 # prometheus
        ];
        allowedUDPPorts = [
          64738 # murmur udp
          6700 # grafana
          6750 # prometheus
        ];
      };
    }
  ];

  aspartame.modules = [
    {
      services.fail2ban.enable = true;
      networking.firewall = {
        interfaces.eth0.allowedTCPPorts = [
          80 # http
          222 # forgejo ssh
          443 # https
          64738 # murmur tcp
        ];
        interfaces.eth0.allowedUDPPorts = [
          64738 # murmur udp
        ];
      };
    }
  ];
}