diff --git a/data.nix b/data.nix
index aee2122..280141e 100644
--- a/data.nix
+++ b/data.nix
@@ -89,20 +89,22 @@ rec {
   # copied from nixpkgs/lib/attrsets.nix
   attrVals = nameList: set: map (x: set.${x}) nameList;
 
-  motiejus_ips = let
-    mHosts =
-      attrVals [
+  subnets = {
+    tailscale = {
+      cidr = "100.89.176.0/20";
+      range = "100.89.176.0-100.89.191.255";
+      sshPattern = "100.89.176.?"; # until we have more hosts
+    };
+    motiejus.cidrs = let
+        mHosts =
+        attrVals [
         "mxp10.motiejus.jakst"
-        "fwmine.motiejus.jakst"
-      ]
-      hosts;
-  in
-    builtins.catAttrs "jakstIP" mHosts;
+            "fwmine.motiejus.jakst"
+        ]
+        hosts;
+      in builtins.catAttrs "jakstIP" mHosts;
 
-  tailscale_subnet = {
-    cidr = "100.89.176.0/20";
-    range = "100.89.176.0-100.89.191.255";
-    pattern = "100.89.176.?"; # until we have more hosts
+    vno1.cidr = "192.168.189.0/24";
   };
 
   jakstysLTZone = let
diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix
index 14dc5cf..6e97901 100644
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@@ -145,7 +145,7 @@
     services = {
       friendlyport.ports = [
         {
-          subnets = [myData.tailscale_subnet.cidr];
+          subnets = [myData.subnets.tailscale.cidr];
           tcp = [
             80
             443
@@ -165,7 +165,7 @@
       headscale = {
         enable = true;
         clientOidcPath = config.age.secrets.headscale-client-oidc.path;
-        subnetCIDR = myData.tailscale_subnet.cidr;
+        subnetCIDR = myData.subnets.tailscale.cidr;
       };
 
       nsd-acme = let
@@ -242,13 +242,13 @@
         }
       '';
       virtualHosts."grafana.jakstys.lt".extraConfig = ''
-        @denied not remote_ip ${myData.tailscale_subnet.cidr}
+        @denied not remote_ip ${myData.subnets.tailscale.cidr}
         abort @denied
         reverse_proxy 127.0.0.1:3000
         tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
       '';
       virtualHosts."bitwarden.jakstys.lt".extraConfig = ''
-        @denied not remote_ip ${myData.tailscale_subnet.cidr}
+        @denied not remote_ip ${myData.subnets.tailscale.cidr}
         abort @denied
         tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem
 
diff --git a/modules/base/default.nix b/modules/base/default.nix
index 1594c6f..465266d 100644
--- a/modules/base/default.nix
+++ b/modules/base/default.nix
@@ -36,7 +36,7 @@
 
     mj.services.friendlyport.ports = [
       {
-        subnets = [myData.tailscale_subnet.cidr];
+        subnets = [myData.subnets.tailscale.cidr];
         tcp = [config.services.iperf3.port];
       }
     ];
diff --git a/modules/base/sshguard/default.nix b/modules/base/sshguard/default.nix
index 1dc8ad9..b1147d4 100644
--- a/modules/base/sshguard/default.nix
+++ b/modules/base/sshguard/default.nix
@@ -16,10 +16,7 @@
       enable = true;
       blocktime = 900;
       whitelist =
-        [
-          "192.168.0.0/16"
-          myData.tailscale_subnet.cidr
-        ]
+        ["192.168.0.0/16" myData.subnets.tailscale.cidr]
         ++ (lib.catAttrs "publicIP" (lib.attrValues myData.hosts));
     };
   };
diff --git a/modules/services/deployerbot/default.nix b/modules/services/deployerbot/default.nix
index 7fd32a8..867e9fb 100644
--- a/modules/services/deployerbot/default.nix
+++ b/modules/services/deployerbot/default.nix
@@ -97,7 +97,7 @@
             createHome = true;
             uid = uidgid;
             openssh.authorizedKeys.keys = let
-              restrictedPubKey = "from=\"${myData.tailscale_subnet.pattern}\" " + publicKey;
+              restrictedPubKey = "from=\"${myData.subnets.tailscale.sshPattern}\" " + publicKey;
             in [restrictedPubKey];
           };
         };
diff --git a/modules/services/friendlyport/default.nix b/modules/services/friendlyport/default.nix
index 5803671..e54a8d3 100644
--- a/modules/services/friendlyport/default.nix
+++ b/modules/services/friendlyport/default.nix
@@ -36,8 +36,8 @@
         else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT"
     );
 
-    startTCP = map(attr: mkAdd "tcp" attr.subnets attr.tcp) ports;
-    startUDP = map(attr: mkAdd "udp" attr.subnets attr.udp) ports;
+    startTCP = map (attr: mkAdd "tcp" attr.subnets attr.tcp) ports;
+    startUDP = map (attr: mkAdd "udp" attr.subnets attr.udp) ports;
 
     # TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process.
     # How to stop the old one and start the new one?
@@ -51,8 +51,8 @@
         else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :"
     );
 
-    stopTCP = map(attr: mkDel "tcp" attr.subnets attr.tcp) ports;
-    stopUDP = map(attr: mkDel "udp" attr.subnets attr.udp) ports;
+    stopTCP = map (attr: mkDel "tcp" attr.subnets attr.tcp) ports;
+    stopUDP = map (attr: mkDel "udp" attr.subnets attr.udp) ports;
   in {
     networking.firewall.extraCommands = lib.concatLines (startTCP ++ startUDP);
     networking.firewall.extraStopCommands = lib.concatLines (stopTCP ++ stopUDP);
diff --git a/modules/services/jakstpub/default.nix b/modules/services/jakstpub/default.nix
index 9a58894..471562b 100644
--- a/modules/services/jakstpub/default.nix
+++ b/modules/services/jakstpub/default.nix
@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  myData,
   ...
 }: {
   options.mj.services.jakstpub = with lib.types; {
@@ -49,7 +50,10 @@
         unitConfig.Requires = requires;
       };
 
-      # WIP ports
-      #friendlyport.vpn.ports = [ 13
+      mj.services.friendlyport.ports = [{
+        subnets = with myData.subnets; [tailscale.cidr vno1.cidr];
+        tcp = [ 139 445 ];
+        udp = [ 137 138 ];
+      }];
     };
 }
diff --git a/modules/services/node_exporter/default.nix b/modules/services/node_exporter/default.nix
index bf2f482..3703e55 100644
--- a/modules/services/node_exporter/default.nix
+++ b/modules/services/node_exporter/default.nix
@@ -29,7 +29,7 @@
 
     mj.services.friendlyport.ports = [
       {
-        subnets = [myData.tailscale_subnet.cidr];
+        subnets = [myData.subnets.tailscale.cidr];
         tcp = [myData.ports.exporters.node];
       }
     ];
diff --git a/modules/services/postfix/default.nix b/modules/services/postfix/default.nix
index 3eba28a..68961f5 100644
--- a/modules/services/postfix/default.nix
+++ b/modules/services/postfix/default.nix
@@ -20,7 +20,7 @@
         "127.0.0.1/8"
         "[::ffff:127.0.0.0]/104"
         "[::1]/128"
-        myData.tailscale_subnet.cidr
+        myData.subnets.tailscale.cidr
       ];
       hostname = "${config.networking.hostName}.${config.networking.domain}";
       relayHost = "smtp.sendgrid.net";
diff --git a/modules/services/snmp_exporter/default.nix b/modules/services/snmp_exporter/default.nix
index 94de1cd..0ac62cd 100644
--- a/modules/services/snmp_exporter/default.nix
+++ b/modules/services/snmp_exporter/default.nix
@@ -12,7 +12,7 @@
   config = lib.mkIf config.mj.services.snmp_exporter.enable {
     mj.services.friendlyport.ports = [
       {
-        subnets = [myData.tailscale_subnet.cidr];
+        subnets = [myData.subnets.tailscale.cidr];
         tcp = [config.services.prometheus.exporters.snmp.port];
       }
     ];
diff --git a/modules/services/syncthing/default.nix b/modules/services/syncthing/default.nix
index 40c96e5..eb4d7bf 100644
--- a/modules/services/syncthing/default.nix
+++ b/modules/services/syncthing/default.nix
@@ -16,7 +16,7 @@ in {
   config = lib.mkIf config.mj.services.syncthing.enable {
     mj.services.friendlyport.ports = [
       {
-        subnets = myData.motiejus_ips;
+        subnets = myData.subnets.motiejus.cidrs;
         tcp = [8384];
       }
     ];