diff --git a/infra/firewall/pw-docker-fw.sh b/infra/firewall/pw-docker-fw.sh
index fd62d66..dae5da0 100644
--- a/infra/firewall/pw-docker-fw.sh
+++ b/infra/firewall/pw-docker-fw.sh
@@ -11,7 +11,7 @@ UPLINK=ens18
 # Trusted admin source IPs allowed to reach the forgejo container (host :3022
 # DNATs to 172.18.0.2:22, so the post-DNAT dport is 22). Keep in sync with the
 # nft 'trusted_admin' set in /etc/pw-firewall/pw-firewall.nft.
-TRUSTED_ADMIN="76.228.206.147"
+TRUSTED_ADMIN="76.228.206.147 24.162.76.14 207.174.124.51"
 
 # Rebuild DOCKER-USER deterministically.
 iptables -F DOCKER-USER 2>/dev/null || true
diff --git a/infra/firewall/pw-firewall.nft b/infra/firewall/pw-firewall.nft
index f7b9338..cc06772 100644
--- a/infra/firewall/pw-firewall.nft
+++ b/infra/firewall/pw-firewall.nft
@@ -20,10 +20,12 @@ table inet pw_fw {
 
     # Trusted admin source IPs allowed to reach git/forgejo (3022) and other
     # non-public admin ports. Update with: nft add element inet pw_fw trusted_admin { <ip> }
+    # 207.174.124.51 = ezstorehost — clones site repos from forgejo during
+    # static-tenant deploys (ezStorehost-infra provision-static-tenant.yml).
     set trusted_admin {
         type ipv4_addr
         flags interval
-        elements = { 76.228.206.147 }
+        elements = { 76.228.206.147, 24.162.76.14, 207.174.124.51 }
     }
 
     chain input {