diff --git a/hosts/by-name/servo/services/export/sftpgo/default.nix b/hosts/by-name/servo/services/export/sftpgo/default.nix
index f7375008..89818bdd 100644
--- a/hosts/by-name/servo/services/export/sftpgo/default.nix
+++ b/hosts/by-name/servo/services/export/sftpgo/default.nix
@@ -13,13 +13,15 @@ let
     pname = "external_auth_hook";
     srcRoot = ./.;
   };
-in
-{
   # Client initiates a FTP "control connection" on port 21.
   # - this handles the client -> server commands, and the server -> client status, but not the actual data
   # - file data, directory listings, etc need to be transferred on an ephemeral "data port".
   # - 50000-50100 is a common port range for this.
   #   50000 is used by soulseek.
+  passiveStart = 50050;
+  passiveEnd   = 50070;
+in
+{
   sane.ports.ports = {
     "21" = {
       protocol = [ "tcp" ];
@@ -43,7 +45,7 @@ in
         description = "colin-FTP server data port range";
       };
     })
-    (lib.range 50050 50100)
+    (lib.range passiveStart passiveEnd)
   );
 
   # use nginx/acme to produce a cert for FTPS
@@ -114,8 +116,8 @@ in
         disable_active_mode = true;
         hash_support = true;
         passive_port_range = {
-          start = 50050;
-          end = 50100;
+          start = passiveStart;
+          end = passiveEnd;
         };
 
         certificate_file = "/var/lib/acme/ftp.uninsane.org/full.pem";