diff --git a/PORT_MAP.md b/PORT_MAP.md
index e3a2417..443c4a8 100644
--- a/PORT_MAP.md
+++ b/PORT_MAP.md
@@ -4,6 +4,13 @@ All the ports which are used by bundles. Collected here to be able to
 easily find available ports for other bundles.
 
 ## TCP
+Rule of thumb: keep ports below 10000 free for stuff that reserves ports.
+
+| Port range  | reserved for |
+ ----------- | ------------ |
+| 200..       | Matrix |
+| 220..       | Generic Web services |
+
 | Port        | bundle               | usage |
 | ----------- | -------------------- | ----- |
 | 22          |                      | sshd |
@@ -15,7 +22,6 @@ easily find available ports for other bundles.
 | 443         | nginx                | https |
 | 587         |                      | postfix submission |
 | 993         |                      | dovecot imap
-| 3000        | gitea                | gitea |
 | 3100        |                      | grafana |
 | 3700        |                      | codimd |
 | 4090        |                      | dovecot managesieve |
@@ -24,17 +30,18 @@ easily find available ports for other bundles.
 | 5900        | vmhost               | qemu-system-x86 |
 | 6379        |                      | redis |
 | 6667        |                      | bitlbee |
-| 8008        | matrix-synapse       | client, federation |
-| 8009        | matrix-synapse       | prometheus metrics |
 | 8010        |                      | matrix-media-repo |
 | 8020        |                      | mautrix-whatsapp |
 | 8080        |                      | miniflux |
-| 8093        | travelynx            | Travelynx Web |
 | 8184        |                      | matrix-dimension |
-| 9000        | jenkins-ci           | Jenkins CI |
 | 11332-11334 |                      | rspamd |
 | 20000       | mx-puppet-discord    | Bridge |
-| 21000       | mautrix-telegram     | Bridge |
+| 20010       | mautrix-telegram     | Bridge |
+| 20080       | matrix-synapse       | client, federation |
+| 20081       | matrix-synapse       | prometheus metrics |
+| 22000       | gitea                | gitea |
+| 22010       | jenkins-ci           | Jenkins CI |
+| 22020       | travelynx            | Travelynx Web |
 | 45923       |                      | grafana |
 
 ## UDP
diff --git a/bundles/gitea/files/app.ini b/bundles/gitea/files/app.ini
index 7fbe73f..da1c881 100644
--- a/bundles/gitea/files/app.ini
+++ b/bundles/gitea/files/app.ini
@@ -16,7 +16,7 @@ PROTOCOL = http
 SSH_DOMAIN = ${domain}
 DOMAIN = ${domain}
 HTTP_ADDR = 127.0.0.1
-HTTP_PORT = 3000
+HTTP_PORT = 22000
 ROOT_URL = https://${domain}/
 DISABLE_SSH = false
 SSH_PORT = 22
diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py
index a12c034..075bd44 100644
--- a/bundles/gitea/metadata.py
+++ b/bundles/gitea/metadata.py
@@ -42,7 +42,7 @@ def nginx(metadata):
             'vhosts': {
                 metadata.get('gitea/domain'): {
                     'proxy': {
-                        '/': 'http://127.0.0.1:3000',
+                        '/': 'http://127.0.0.1:22000',
                     },
                 },
             },
diff --git a/bundles/jenkins-ci/files/jenkins b/bundles/jenkins-ci/files/jenkins
index b357613..9c4fede 100644
--- a/bundles/jenkins-ci/files/jenkins
+++ b/bundles/jenkins-ci/files/jenkins
@@ -13,7 +13,7 @@ JENKINS_ENABLE_ACCESS_LOG="no"
 JENKINS_WAR=/usr/share/$NAME/$NAME.war
 
 RUN_STANDALONE=true
-HTTP_PORT=9000
+HTTP_PORT=22010
 PREFIX=/
 MAXOPENFILES=8192
 
diff --git a/bundles/matrix-synapse/files/homeserver.yaml b/bundles/matrix-synapse/files/homeserver.yaml
index a754d88..cb76cc7 100644
--- a/bundles/matrix-synapse/files/homeserver.yaml
+++ b/bundles/matrix-synapse/files/homeserver.yaml
@@ -17,7 +17,7 @@ federation_ip_range_blacklist:
   - 'fc00::/7'
 
 listeners:
-  - port: 8009
+  - port: 20081
     tls: false
     bind_addresses: ['::1']
     type: http
@@ -27,7 +27,7 @@ listeners:
       - names: [metrics]
         compress: false
 
-  - port: 8008
+  - port: 20080
     tls: false
     bind_addresses: ['::1']
     type: http
diff --git a/bundles/mautrix-telegram/files/config.yaml b/bundles/mautrix-telegram/files/config.yaml
index ddb6f77..25d0518 100644
--- a/bundles/mautrix-telegram/files/config.yaml
+++ b/bundles/mautrix-telegram/files/config.yaml
@@ -4,11 +4,11 @@ homeserver:
     verify_ssl: true
 
 appservice:
-    address: http://${node.metadata['mautrix-telegram'].get('listen-addr', '127.0.0.1')}:${node.metadata['mautrix-telegram'].get('port', 21000)}
+    address: http://${node.metadata['mautrix-telegram'].get('listen-addr', '127.0.0.1')}:${node.metadata['mautrix-telegram'].get('port', 20010)}
     tls_cert: false
     tls_key: false
     hostname: ${node.metadata['mautrix-telegram'].get('listen-addr', '127.0.0.1')}
-    port: ${node.metadata['mautrix-telegram'].get('port', 21000)}
+    port: ${node.metadata['mautrix-telegram'].get('port', 20010)}
     max_body_size: ${node.metadata['mautrix-telegram'].get('max-body-size', 1)}
     database: postgres://${node.metadata['mautrix-telegram']['database']['user']}:${node.metadata['mautrix-telegram']['database']['password']}@${node.metadata['mautrix-telegram']['database'].get('host', 'localhost')}/${node.metadata['mautrix-telegram']['database']['database']}
     public:
diff --git a/bundles/mautrix-telegram/files/registration.yaml b/bundles/mautrix-telegram/files/registration.yaml
index dedca65..8a7825a 100644
--- a/bundles/mautrix-telegram/files/registration.yaml
+++ b/bundles/mautrix-telegram/files/registration.yaml
@@ -10,6 +10,6 @@ namespaces:
     aliases:
     - exclusive: true
       regex: '#telegram_.+:${node.metadata['mautrix-telegram']['homeserver']['domain']}'
-url: http://${node.metadata['mautrix-telegram'].get('listen-addr', '127.0.0.1')}:${node.metadata['mautrix-telegram'].get('port', 21000)}
+url: http://${node.metadata['mautrix-telegram'].get('listen-addr', '127.0.0.1')}:${node.metadata['mautrix-telegram'].get('port', 20010)}
 sender_localpart: ${node.metadata['mautrix-telegram']['sender_localpart']}
 rate_limited: false
diff --git a/bundles/travelynx/files/travelynx.conf b/bundles/travelynx/files/travelynx.conf
index f265f9b..bc8e128 100644
--- a/bundles/travelynx/files/travelynx.conf
+++ b/bundles/travelynx/files/travelynx.conf
@@ -27,7 +27,7 @@
     hypnotoad => {
         accepts  => 100,
         clients  => 10,
-        listen   => [ 'http://127.0.0.1:8093' ],
+        listen   => [ 'http://127.0.0.1:22020' ],
         pid_file => '/var/cache/travelynx/travelynx.pid',
         workers  => ${workers},
         spare    => ${spare_workers},
diff --git a/data/nginx/files/extras/htz.ex42-1048908/matrix.franzi.business b/data/nginx/files/extras/htz.ex42-1048908/matrix.franzi.business
index 8c5c786..5052639 100644
--- a/data/nginx/files/extras/htz.ex42-1048908/matrix.franzi.business
+++ b/data/nginx/files/extras/htz.ex42-1048908/matrix.franzi.business
@@ -7,7 +7,7 @@
     }
 
     location /_matrix {
-        proxy_pass http://[::1]:8008;
+        proxy_pass http://[::1]:20080;
         proxy_set_header X-Forwarded-For $remote_addr;
     }
 
diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py
index be83efe..cd28834 100644
--- a/nodes/htz/ex42-1048908.py
+++ b/nodes/htz/ex42-1048908.py
@@ -167,7 +167,7 @@ nodes['htz.ex42-1048908'] = {
                 },
                 'jenkins.kunsmann.eu': {
                     'proxy': {
-                        '/': 'http://localhost:9000/',
+                        '/': 'http://localhost:22010/',
                     },
                 },
                 'kunbox.net': {},
@@ -200,7 +200,7 @@ nodes['htz.ex42-1048908'] = {
                 },
                 'travelynx.franzi.business': {
                     'proxy': {
-                        '/': 'http://127.0.0.1:8093',
+                        '/': 'http://127.0.0.1:22020',
                     },
                     'extras': True,
                 },