From 54717cccade12c3787dbd12be9a933df14a74c77 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sun, 1 Mar 2026 14:50:55 +0000
Subject: [PATCH] fix: allow current CI runner IP through firewall before
 Ansible

---
 .gitea/workflows/deploy.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index b43fd6c..b2daf0c 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -186,6 +186,23 @@ jobs:
           mkdir -p ../outputs
           terraform output -json > ../outputs/terraform_outputs.json
 
+      - name: Detect runner egress IP
+        run: |
+          RUNNER_IP=$(curl -fsSL https://api.ipify.org)
+          echo "RUNNER_CIDR=[\"${RUNNER_IP}/32\"]" >> "$GITHUB_ENV"
+          echo "Runner egress IP: ${RUNNER_IP}"
+
+      - name: Open SSH/API for current runner CIDR
+        working-directory: terraform
+        run: |
+          terraform apply \
+            -target=hcloud_firewall.cluster \
+            -var="ssh_public_key=$HOME/.ssh/id_ed25519.pub" \
+            -var="ssh_private_key=$HOME/.ssh/id_ed25519" \
+            -var="allowed_ssh_ips=${RUNNER_CIDR}" \
+            -var="allowed_api_ips=${RUNNER_CIDR}" \
+            -auto-approve
+
       - name: Install Python Dependencies
         run: |
           apt-get update && apt-get install -y python3-pip