firewall: allow ezstorehost (207.174.124.51) to reach Forgejo SSH

Add ezstorehost to trusted_admin in both layers — the nft input set and
the DOCKER-USER iptables chain (Forgejo is containerised; DNAT means the
post-DNAT dport 22 rule applies). Required for static-tenant deploys from
ezStorehost-infra to clone repos over ssh://.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

infra/firewall/pw-docker-fw.sh

@@ -11,7 +11,7 @@ UPLINK=ens18
 # Trusted admin source IPs allowed to reach the forgejo container (host :3022
 # DNATs to 172.18.0.2:22, so the post-DNAT dport is 22). Keep in sync with the
 # nft 'trusted_admin' set in /etc/pw-firewall/pw-firewall.nft.
-TRUSTED_ADMIN="76.228.206.147"
+TRUSTED_ADMIN="76.228.206.147 24.162.76.14 207.174.124.51"
 
 # Rebuild DOCKER-USER deterministically.
 iptables -F DOCKER-USER 2>/dev/null || true

infra/firewall/pw-firewall.nft

@@ -20,10 +20,12 @@ table inet pw_fw {
 
     # Trusted admin source IPs allowed to reach git/forgejo (3022) and other
     # non-public admin ports. Update with: nft add element inet pw_fw trusted_admin { <ip> }
+    # 207.174.124.51 = ezstorehost — clones site repos from forgejo during
+    # static-tenant deploys (ezStorehost-infra provision-static-tenant.yml).
     set trusted_admin {
         type ipv4_addr
         flags interval
-        elements = { 76.228.206.147 }
+        elements = { 76.228.206.147, 24.162.76.14, 207.174.124.51 }
     }
 
     chain input {