raise if incoming ports are used multiple times

seed/forgejo/templates/app.ini

@@ -188,13 +188,13 @@ SSH_DOMAIN       = %%revprox_client_external_domainnames[0]
 ;; Port number to be exposed in clone URL
 ;SSH_PORT = 22
 ;>GNUNUX
-SSH_PORT         = 2222
+SSH_PORT         = %%incoming_ports
 ;<GNUNUX
 ;;
 ;; The port number the builtin SSH server should listen on
 ;SSH_LISTEN_PORT = %(SSH_PORT)s
 ;>GNUNUX
-SSH_LISTEN_PORT  = 2222
+SSH_LISTEN_PORT  = %%incoming_ports
 ;<GNUNUX
 ;;
 ;; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.

seed/forgejo/templates/forgejo.yml

@@ -8,4 +8,4 @@ auth_server: %%oauth2_server_domainname
 username: %%username
 password: %%get_password(server_name='test', username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
 forgejo_title: "%%forgejo_title"
-git_url: "[%%domain]:2222"
+git_url: "[%%domain]:%%incoming_ports"

seed/host-systemd-machined/templates/risottofirewall.service

@@ -1,3 +1,11 @@
+%def %%get_protocol_port(%%port)
+  %if ':' in %%port
+    %set %%protocol, %%port = %%port.split(':')
+  %else
+    %set %%protocol = 'tcp'
+  %end if
+  %return %%protocol, %%port
+%end def
 [Unit]
 Description=Firewall for Risotto
 After=network.target
@@ -6,22 +14,27 @@ After=network.target
 Type=oneshot
 RemainAfterExit=yes
 %set %%has_rules = False
+%set %%incoming_ports = {'tcp': {}, 'udp': {}}
 %for %%dns in %%machined.machines
   %set %%machine = %%normalize_family(%%dns)
   %set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine]
   %if %%outgoing
     %set %%ip = %%machined['machine_' + %%machine]['ip_' + %%machine]
     %for %%port in %%outgoing
-      %if ':' in %%port
+       %set %%protocol, %%port = %%get_protocol_port(%%port)
-  %set %%protocol, %%port = %%port.split(':')
-      %else
-  %set %%protocol = 'tcp'
-      %end if
 ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
 ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
        %set %%has_rules = False
     %end for
   %end if
+  %set %%incoming = %%machined['machine_' + %%machine]['incoming_ports_' + %%machine]
+  %for %%port in %%incoming
+     %set %%protocol, %%port = %%get_protocol_port(%%port)
+     %if %%port in %%incoming_ports[%%protocol]
+       %raise Exception('the port "' + %%port + '" cannot be deployed for multiple machines: "' + %%dns + '" and "' + %%incoming_ports[%%protocol][%%port] + '"')
+     %end if
+     %set %%incoming_ports[%%protocol][%%port] = %%dns
+  %end for
 %end for
 %if not %%has_rules
 ExecStart=/usr/bin/echo "No rule"