{ ... }:

{
  networking.firewall = {

    extraCommands = "
      iptables -I nixos-fw 1 -i br+ -j ACCEPT
    ";

    extraStopCommands = "
      iptables -D nixos-fw -i br+ -j ACCEPT
    ";

    trustedInterfaces = [ "br+" ];

    allowedTCPPorts = [
      # qbit
      8081
      8082
      8443

      # hydra
      3000

      # minio
      8500
      8501

      # gitea
      2222
      2223
      8088

      # attic
      8183

      # collabora
      9980

      # arr
      6767
      9696
      7878
      8989
      8686
      8787
      5055

      # temp postgres
      5432
    ];

  };
}