From 670ff0a9f990d9b8645dec915f93015bc95c9488 Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Fri, 1 May 2026 19:10:29 +0100
Subject: [PATCH] router: also accept docker user-defined bridges (br-*)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Forgejo's runner spins up a per-workflow Docker network for every job,
which lives on a br-XXXXXX bridge — not docker0. Without this rule, the
in-container git clone (and anything else outbound) hits the forward
chain's default-deny and times out. Match docker0 plus the br-* glob in
both input and forward so any Docker network model works.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 services/router.nix | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/services/router.nix b/services/router.nix
index abfa20e..9f4a9bb 100644
--- a/services/router.nix
+++ b/services/router.nix
@@ -112,10 +112,12 @@ in
             # LAN is trusted
             iifname "eth0" accept
             # Docker containers reaching host services (e.g. Profilarr → Radarr
-            # on 10.0.0.1:7878). The forward chain already trusts docker0 for
-            # outbound; this is the matching INPUT rule for traffic landing on
-            # the host's own LAN/bridge IPs from a container.
-            iifname "docker0" accept
+            # on 10.0.0.1:7878). The forward chain already trusts docker bridges
+            # for outbound; this is the matching INPUT rule for traffic landing
+            # on the host's own LAN/bridge IPs from a container. The br-* glob
+            # covers user-defined networks (the Forgejo runner creates one per
+            # workflow), so it doesn't fall through to the default-deny policy.
+            iifname { "docker0", "br-*" } accept
             # Phase 1: also trust the existing eero subnet on eno1 so SSH
             # and AdGuard DNS keep working during the transition.
             ${legacyTrustRules}
@@ -131,8 +133,10 @@ in
             ct state invalid drop
             # LAN → anywhere
             iifname "eth0" accept
-            # Docker containers → anywhere (needed for image pulls, LinuxGSM bootstrap, etc.)
-            iifname "docker0" accept
+            # Docker containers → anywhere (needed for image pulls, LinuxGSM
+            # bootstrap, Forgejo runner workflows, etc.). br-* matches the
+            # user-defined bridges Docker creates for custom networks.
+            iifname { "docker0", "br-*" } accept
             # WAN → any port-forward target (LAN host or docker container)
             iifname "eno1" ct status dnat accept
           }