{
  config,
  lib,
  pkgs,
  zerotierInterface,
  ...
}:
{

  verify.closed.public.ports.taskchampion = [ config.services.taskchampion-sync-server.port ];
  verify.http.taskchampion = {
    url = "http://orbi.private:10222";
    expectedContent = "TaskChampion sync server";
  };

  networking.firewall.interfaces.wg0.allowedTCPPorts = [
    config.services.taskchampion-sync-server.port
  ];
  networking.firewall.interfaces.wg0.allowedUDPPorts = [
    config.services.taskchampion-sync-server.port
  ];

  services.taskchampion-sync-server = {
    enable = true;
    openFirewall = false;
  };

}