From c7194ca147c17127e0fca402a24388781db068b2 Mon Sep 17 00:00:00 2001
From: sjat <sjat@ziethen.dk>
Date: Thu, 18 Jun 2026 16:35:15 +0200
Subject: [PATCH] feat(integration): allow SSH from the NAT gateway in the
 askari overlay

base's default-deny firewall would drop the driver's post-reboot SSH from the libvirt NAT gateway; set base__firewall_control_addr to the gateway (by source IP, interface-independent).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 tests/integration/overrides/askari.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tests/integration/overrides/askari.yml b/tests/integration/overrides/askari.yml
index a4baf23..c0d08b3 100644
--- a/tests/integration/overrides/askari.yml
+++ b/tests/integration/overrides/askari.yml
@@ -6,3 +6,7 @@ base__firewall_apply: true
 base__ssh_listen_mesh_only: false
 # The VM is isolated; it must never touch the real mesh.
 base__mesh_enabled: false
+# Allow SSH from the VM's libvirt-NAT gateway (where the driver/ansible connects from),
+# so base's default-deny firewall + the reboot don't lock out the harness. By source IP,
+# so it's interface-independent. Overrides askari's real control addr for the test only.
+base__firewall_control_addr: "192.168.150.1"