diff --git a/applications/firewall.nix b/applications/firewall.nix
index cb4fe34..33249e4 100644
--- a/applications/firewall.nix
+++ b/applications/firewall.nix
@@ -1,73 +1,91 @@
-{
+{lib, config, ...}:{
 
-  networking.firewall.enable = false;
-  networking.nftables.enable = true;
+  # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
+  options = {
+    firewall_forward = lib.mkOption {
+      default = [ ];
+      type = lib.types.listOf lib.types.str;
+      description = ''
+        A list of routes to forward
+      '';
+    };
+  };
 
-  # fules for the firewall
-  # beware of EOL conversion.
-  networking.nftables.ruleset =
-    ''
-    # Check out https://wiki.nftables.org/ for better documentation.
-    # Table for both IPv4 and IPv6.
-    table ip nat {
-    	chain prerouting {
-    		type nat hook prerouting priority dstnat; policy accept;
+  config = {
+    # disable default firewall to enable nftables
+    networking.firewall.enable = false;
+    networking.nftables.enable = true;
 
-    		# forward anything with port 2222 to this specific ip
-    		# tcp dport 2222 counter packets 0 bytes 0 dnat to 193.1.99.76:22
+    # fules for the firewall
+    # beware of EOL conversion.
+    networking.nftables.ruleset =
+      ''
+      # Check out https://wiki.nftables.org/ for better documentation.
+      # Table for both IPv4 and IPv6.
+      table ip nat {
+        chain prerouting {
+          type nat hook prerouting priority dstnat; policy accept;
 
-    		# forward http/s traffic from 76 to 123
-    		# ip daddr 193.1.99.76 tcp dport 80 counter packets 0 bytes 0 dnat to 193.1.99.123:80
-    		# ip daddr 193.1.99.76 tcp dport 443 counter packets 0 bytes 0 dnat to 193.1.99.123:443
-    	}
+          # forward anything with port 2222 to this specific ip
+          # tcp dport 2222 counter packets 0 bytes 0 dnat to 193.1.99.76:22
 
-    	chain postrouting {
-    		type nat hook postrouting priority srcnat; policy accept;
+          # forward http/s traffic from 76 to 123
+          # ip daddr 193.1.99.76 tcp dport 80 counter packets 0 bytes 0 dnat to 193.1.99.123:80
+          # ip daddr 193.1.99.76 tcp dport 443 counter packets 0 bytes 0 dnat to 193.1.99.123:443
+        }
 
-    		# the internal network
-    		ip saddr 172.20.20.0/23 counter packets 0 bytes 0 masquerade
-    	}
+        chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
 
-    	chain output {
-    		type nat hook output priority -100; policy accept;
-    	}
-    }
+          # the internal network
+          ip saddr 172.20.20.0/23 counter packets 0 bytes 0 masquerade
+        }
 
-    table ip filter {
-    	chain input {
-    		type filter hook input priority filter; policy accept;
-    		tcp dport 22 counter packets 0 bytes 0 jump fail2ban-ssh
-    		tcp dport 22 counter packets 0 bytes 0 accept
-    	}
+        chain output {
+          type nat hook output priority -100; policy accept;
+        }
+      }
 
-    	chain forward {
-    		type filter hook forward priority filter; policy drop;
-    		counter packets 0 bytes 0 jump rejects
+      table ip filter {
+        chain input {
+          type filter hook input priority filter; policy accept;
+          tcp dport 22 counter packets 0 bytes 0 jump fail2ban-ssh
+          tcp dport 22 counter packets 0 bytes 0 accept
+        }
 
-        # accept these ip/ports
-    		# ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept
+        chain forward {
+          type filter hook forward priority filter; policy drop;
+          counter packets 0 bytes 0 jump rejects
 
-    		counter packets 0 bytes 0 reject with icmp type admin-prohibited
-    	}
+          # accept these ip/ports
+          # ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept
 
-    	chain output {
-    		type filter hook output priority filter; policy accept;
+          # can basically make each machiene responsibile for their own forwarding (in config at least)
+          ${lib.strings.concatMapStrings (x: x + "\n") config.firewall_forward}
 
-    		# no outgoing limits (for now)
-    	}
+          counter packets 0 bytes 0 reject with icmp type admin-prohibited
+        }
 
-    	chain fail2ban-ssh {
-    	  # ban these
-    		# ip saddr 104.236.151.120 counter packets 0 bytes 0 drop
-    		counter packets 0 bytes 0 return
-    	}
+        chain output {
+          type filter hook output priority filter; policy accept;
 
-    	chain rejects {
-    	  # Reject all these
-    		# ip saddr 220.119.33.251 counter packets 0 bytes 0 reject with icmp type admin-prohibited
-    	}
-    }
-    '';
+          # no outgoing limits (for now)
+        }
+
+        chain fail2ban-ssh {
+          # ban these
+          # ip saddr 104.236.151.120 counter packets 0 bytes 0 drop
+          counter packets 0 bytes 0 return
+        }
+
+        chain rejects {
+          # Reject all these
+          # ip saddr 220.119.33.251 counter packets 0 bytes 0 reject with icmp type admin-prohibited
+        }
+      }
+      '';
+
+  };
 
 
 }