{
  allowedTCPPorts = [
    8384 22000  # syncthing
    8080 8443 6789 8880 8843 27117  # unifi controller: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Network-Required-Ports-Reference
    8585  # pihole web
    53 # pihole
    #8123  # home-assistant
    #3000  # gitea
    8081  # vaultwarden
    # If we are reverse proxying we should map to a different port than 443 or
    # 80. Here we blackhole those ports so that pihole will be more efficient.
    # When pihole "blocks" a site, depending on configuration what it may really
    # does is returns its own IP, so the client then requests the content from
    # this node at whichever port it needs. That is usually 80 or 443 for http
    # and https, so it's better to block these fast than to pass all that
    # traffic to some actual service.
    #80 443  # reverse proxy
  ];
  allowedUDPPorts = [
    22000 21027  # syncthing
    3478 5514 10001 1900 123 # unifi
    53  # pihole
    #80 443  # reverse proxy
  ];
  allowedUDPPortRanges = [
    { from = 5656; to = 5699; }  # unifi
  ];
}