{
  universal.modules = [
    {
      networking.firewall.enable = true;
      networking.nftables.enable = true;
    }
    {
      networking.firewall.interfaces.wg0 = {
        # TODO: set up prometheus authentication, perhaps with a certificate. not *that* urgent because it's only on the wireguard netwrok, maybe it's not even needed at all -e
        allowedTCPPorts = [
          6703 # prometheus node exporter
        ];
        allowedUDPPorts = [
          6703 # prometheus node exporter
        ];
      };
    }
  ];

  fructose.modules = [
    {
      networking.firewall = {
        allowedUDPPorts = [];
        allowedTCPPorts = [
          3000 # forgejo web
          8080 # gotosocial web
          222 # forgejo ssh
        ];
      };
    }
  ];

  glucose.modules = [
    {
      networking.firewall = {
        allowedTCPPorts = [
          64738 # murmur tcp
          6700 # grafana web
          6750 # prometheus
          7893 # matrix/conduwuit
        ];
        allowedUDPPorts = [
          64738 # murmur udp
          6700 # grafana web
          6750 # prometheus data ap
          7893 # matrix/conduwuit
        ];
      };
    }
  ];

  aspartame.modules = [
    {
      services.fail2ban.enable = true;
      networking.firewall = {
        interfaces.eth0.allowedTCPPorts = [
          80 # http
          222 # forgejo ssh
          443 # https
          8448 # matrix/conduwuit port, i think ?
          64738 # murmur tcp
        ];
        interfaces.eth0.allowedUDPPorts = [
          64738 # murmur udp
        ];
      };
    }
  ];
}