From ff5f166855b8af525ca3d0ce8c981d11899bfa21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Tue, 10 Mar 2026 00:05:27 +0100
Subject: [PATCH] actions-runner: trust podman interfaces in firewall

Allow containers to reach the runner's cache service by trusting
podman network interfaces. Uses "podman+" wildcard to match any
podman-prefixed interface regardless of name.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 services/actions-runner/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/services/actions-runner/default.nix b/services/actions-runner/default.nix
index 5730cb2..af4da66 100644
--- a/services/actions-runner/default.nix
+++ b/services/actions-runner/default.nix
@@ -1,5 +1,9 @@
 { config, pkgs, ... }:
 {
+  # Trust podman interfaces so containers can reach the runner's cache service.
+  # "podman+" is a wildcard matching any interface starting with "podman".
+  networking.firewall.trustedInterfaces = [ "podman+" ];
+
   virtualisation.podman = {
     enable = true;
     dockerCompat = true;