{ ... }:

{
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  users.groups = {
    "frontend" = { };
  };
}