From c8a0824143c4a7a2f48cd0ca61897ea4343af01d Mon Sep 17 00:00:00 2001 From: justin Date: Wed, 10 Jun 2026 22:45:43 -0500 Subject: [PATCH] firewall: allow ezstorehost (207.174.124.51) to reach Forgejo SSH MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add ezstorehost to trusted_admin in both layers — the nft input set and the DOCKER-USER iptables chain (Forgejo is containerised; DNAT means the post-DNAT dport 22 rule applies). Required for static-tenant deploys from ezStorehost-infra to clone repos over ssh://. Co-Authored-By: Claude Fable 5 --- infra/firewall/pw-docker-fw.sh | 2 +- infra/firewall/pw-firewall.nft | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/infra/firewall/pw-docker-fw.sh b/infra/firewall/pw-docker-fw.sh index fd62d66..dae5da0 100644 --- a/infra/firewall/pw-docker-fw.sh +++ b/infra/firewall/pw-docker-fw.sh @@ -11,7 +11,7 @@ UPLINK=ens18 # Trusted admin source IPs allowed to reach the forgejo container (host :3022 # DNATs to 172.18.0.2:22, so the post-DNAT dport is 22). Keep in sync with the # nft 'trusted_admin' set in /etc/pw-firewall/pw-firewall.nft. -TRUSTED_ADMIN="76.228.206.147" +TRUSTED_ADMIN="76.228.206.147 24.162.76.14 207.174.124.51" # Rebuild DOCKER-USER deterministically. iptables -F DOCKER-USER 2>/dev/null || true diff --git a/infra/firewall/pw-firewall.nft b/infra/firewall/pw-firewall.nft index f7b9338..cc06772 100644 --- a/infra/firewall/pw-firewall.nft +++ b/infra/firewall/pw-firewall.nft @@ -20,10 +20,12 @@ table inet pw_fw { # Trusted admin source IPs allowed to reach git/forgejo (3022) and other # non-public admin ports. Update with: nft add element inet pw_fw trusted_admin { } + # 207.174.124.51 = ezstorehost — clones site repos from forgejo during + # static-tenant deploys (ezStorehost-infra provision-static-tenant.yml). set trusted_admin { type ipv4_addr flags interval - elements = { 76.228.206.147 } + elements = { 76.228.206.147, 24.162.76.14, 207.174.124.51 } } chain input {