# Port map (see also host/overview/services.md) | Port | Role | |------|------| | 22 | sshd (WAN often via VeciGate 23235) | | 80 | systemd `http-proxy.socket` → Caddy **9000** | | 443 | systemd `https-proxy.socket` → Caddy **9001** | | 9000 | Caddy HTTP + ACME webroot | | 9001 | Caddy HTTPS (vhosts) | | 9010 | podman `taler-hacktivism` (merchant nginx TLS) — **not** in firewalld | | 9011 | podman `taler-exchange-hacktivism` (exchange httpd) — **not** in firewalld | | 9012 | podman `taler-bank-hacktivism` (libeufin-bank) — **not** in firewalld | | 9013–9015 | bank / exchange / merchant public landings | | 9020 | podman `koopa-castopod` → Caddy `castopod.hacktivism.ch` | | 9021 | podman `koopa-bonfire` → Caddy `bonfire.hacktivism.ch` | | 9022 | podman `koopa-prime` (Jellyfin) → Caddy `prime.hacktivism.ch` | | 9023 | podman qBittorrent → Caddy `bt.hacktivism.ch` | | **9024** | podman **`koopa-forgejo`** (HTTP) → Caddy **`git.hacktivism.ch`** | | **9200** | podman **Forgejo git-SSH** (host-direct; not Caddy) | | 8080 | Tor ORPort | VeciGate: WAN **80→9000**, WAN **443→9001**. Public apps: Caddy vhosts on **9001** → 127.0.0.1:{9010–9015, 9020–9024}. Git SSH needs separate NAT/firewall **9200/tcp** if exposed to WAN.