{
  universal.modules = [
    {
      networking.firewall.enable = true;
      networking.nftables.enable = true;
      networking.firewall = {
        allowedTCPPorts = [
          6703
        ];
        allowedUDPPorts = [
          6703
        ];
      };
    }
  ];

  fructose.modules = [
    {
      networking.firewall = {
        allowedUDPPorts = [];
        allowedTCPPorts = [
          3000 # forgejo http
          222 # forgejo ssh
        ];
      };
    }
  ];

  glucose.modules = [
    {
      networking.firewall = {
        allowedTCPPorts = [
          64738 # murmur tcp
          6700 # grafana
          6750 # prometheus
        ];
        allowedUDPPorts = [
          64738 # murmur udp
          6700 # grafana
          6750 # prometheus
        ];
      };
    }
  ];

  aspartame.modules = [
    {
      services.fail2ban.enable = true;
      networking.firewall = {
        interfaces.eth0.allowedTCPPorts = [
          80 # http
          222 # forgejo ssh
          443 # https
          64738 # murmur tcp
        ];
        interfaces.eth0.allowedUDPPorts = [
          64738 # murmur udp
        ];
      };
    }
  ];
}