diff --git a/common/constants.nix b/common/constants.nix
index 138271c..dd96f65 100644
--- a/common/constants.nix
+++ b/common/constants.nix
@@ -4,28 +4,41 @@
       type = types.str;
       default = "invariantspace.com";
       description = ''
-        Store the default domain for all devices.
+        The domain for all devices.
       '';
     };
     homeDir = mkOption {
       type = types.str;
       default = "/home/${config.constants.userName}";
       description = ''
-        The default home directory for the default user.
+        The home directory for the default user.
       '';
     };
     localhost = mkOption {
       type = types.str;
       default = "127.0.0.1";
       description = ''
-        Store the default localhost address.
+        The localhost address.
+      '';
+    };
+    port = mkOption {
+      type = types.attrsOf types.port;
+      default = {
+        http = 80;
+        https = 443;
+        jellyfin = 8096;
+        wireguard-server = 45556;
+        xray = 50051;
+      };
+      description = ''
+        The mapping from service to ports.
       '';
     };
     postMaster = mkOption {
       type = types.str;
       default = "trivial@${config.constants.domain}";
       description = ''
-        Store the default post master email address.
+        The post master email address.
       '';
     };
     publicKeys = mkOption {
@@ -55,7 +68,7 @@
       type = types.str;
       default = "macronova";
       description = ''
-        The default username across all devices.
+        The username across all devices.
       '';
     };
   };
diff --git a/linux/blitzar/network.nix b/linux/blitzar/network.nix
index f5a83e6..e0da014 100644
--- a/linux/blitzar/network.nix
+++ b/linux/blitzar/network.nix
@@ -1,6 +1,6 @@
 { config, ... }: {
-  networking = {
-    domain = config.constants.domain;
+  networking = let const = config.constants; in {
+    domain = const.domain;
     hostId = "30f8f777";
     networkmanager = {
       enable = true;
@@ -11,7 +11,7 @@
       ips = [ "10.32.54.2/32" ];
       peers = [{
         allowedIPs = [ "10.32.54.0/24" ];
-        endpoint = "${config.constants.domain}:45556";
+        endpoint = "${const.domain}:${toString const.port.wireguard-server}";
         publicKey = "0j8+alXU/f2UgWN61R6+Wjs9xelGRwpSbe5NyOwWlF4=";
       }];
       privateKeyFile = config.sops.secrets."wireguard/${config.networking.hostName}".path;
diff --git a/linux/nebula/caddy.nix b/linux/nebula/caddy.nix
index 973d629..5876955 100644
--- a/linux/nebula/caddy.nix
+++ b/linux/nebula/caddy.nix
@@ -16,7 +16,7 @@
             reverse_proxy ${forgejoCfg.HTTP_ADDR}:${toString forgejoCfg.HTTP_PORT}
           '';
           "jellyfin.${dn}".extraConfig = ''
-            reverse_proxy ${lh}:8096
+            reverse_proxy ${lh}:${toString config.constants.port.jellyfin}
           '';
           "matrix.${dn}".extraConfig = ''
             reverse_proxy /_matrix/* ${conduitCfg.address}:${toString conduitCfg.port}
diff --git a/linux/nebula/network.nix b/linux/nebula/network.nix
index 9d906a7..ee1eb85 100644
--- a/linux/nebula/network.nix
+++ b/linux/nebula/network.nix
@@ -1,9 +1,9 @@
 { config, ... }:
 
-let hn = config.networking.hostName; in {
+let const = config.constants; hn = config.networking.hostName; in {
   networking = {
     domain = config.constants.domain;
-    firewall.allowedTCPPorts = [ 80 443 ];
+    firewall.allowedTCPPorts = with const.port; [ http https ];
     hostId = "e6449321";
     networkmanager = {
       enable = true;
@@ -15,7 +15,7 @@ let hn = config.networking.hostName; in {
       ips = [ "10.32.54.3/32" ];
       peers = [{
         allowedIPs = [ "10.32.54.0/24" ];
-        endpoint = "${config.constants.domain}:45556";
+        endpoint = "${const.domain}:${toString const.port.wireguard-server}";
         persistentKeepalive = 54;
         publicKey = "0j8+alXU/f2UgWN61R6+Wjs9xelGRwpSbe5NyOwWlF4=";
       }];
diff --git a/linux/singularity/caddy.nix b/linux/singularity/caddy.nix
index 9482837..b855778 100644
--- a/linux/singularity/caddy.nix
+++ b/linux/singularity/caddy.nix
@@ -1,7 +1,6 @@
 { config, ... }:
 
 {
-
   services.caddy = {
     enable = true;
     email = config.constants.postMaster;
@@ -17,7 +16,7 @@
         "${dn}".extraConfig = let wnm = wn "matrix"; in ''
           header ${wnm}/* Content-Type application/json
           header ${wnm}/* Access-Control-Allow-Origin *
-          respond ${wnm}/server `{ "m.server": "${mtfqdn}:443" }`
+          respond ${wnm}/server `{ "m.server": "${mtfqdn}:${toString config.constants.port.https}" }`
           respond ${wnm}/client `{
             "m.homeserver": { "base_url": "https://${mtfqdn}" },
             "m.identity_server": { "base_url": "https://${mtfqdn}" }
diff --git a/linux/singularity/network.nix b/linux/singularity/network.nix
index a166222..e30aa3d 100644
--- a/linux/singularity/network.nix
+++ b/linux/singularity/network.nix
@@ -1,22 +1,22 @@
 { config, ... }:
 
-let hn = config.networking.hostName; in {
-  networking = let wg = { interface = "wgs"; port = 45556; }; in {
+let hn = config.networking.hostName; port = config.constants.port; wgi = "wgs"; in {
+  networking = {
     domain = config.constants.domain;
     firewall = {
-      allowedTCPPorts = [ 80 443 50051 ];
-      allowedUDPPorts = [ wg.port ];
+      allowedTCPPorts = with port; [ http https xray ];
+      allowedUDPPorts = with port; [ wireguard-server ];
     };
     hostId = "2cadb253";
     nat = {
       enable = true;
       externalInterface = "ens18";
-      internalInterfaces = [ wg.interface ];
+      internalInterfaces = [ wgi ];
     };
     nftables.enable = true;
-    wireguard.interfaces.${wg.interface} = {
+    wireguard.interfaces.${wgi} = {
       ips = [ "10.32.54.76/24" ];
-      listenPort = wg.port;
+      listenPort = port.wireguard-server;
       peers = [
         {
           allowedIPs = [ "10.32.54.2/32" ];