{
  networking.firewall = {
    enable = true;
    allowedUDPPorts = [ 53 ];
    allowPing = false;
    trustedInterfaces = [ "tailscale0" ];

    allowedTCPPorts = [
      80
      443
    ];
  };
}