From 1800e0e4e3be6e5f9e6696ec66dc980f19abb04e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= <nicolas.masse@itix.fr>
Date: Fri, 29 May 2026 09:56:37 +0000
Subject: [PATCH] add nftables rules for quay

---
 cookbooks/quay/Makefile                   | 2 +-
 cookbooks/quay/other/nftables/50-quay.nft | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100755 cookbooks/quay/other/nftables/50-quay.nft

diff --git a/cookbooks/quay/Makefile b/cookbooks/quay/Makefile
index 5850e0c..8ac602c 100644
--- a/cookbooks/quay/Makefile
+++ b/cookbooks/quay/Makefile
@@ -6,7 +6,7 @@
 PROJECT_UID = 10026
 PROJECT_GID = 10000
 
-DEPENDENCIES = postgresql lego
+DEPENDENCIES = postgresql lego nftables
 
 # Include common Makefile
 include ../../scripts/common.mk
diff --git a/cookbooks/quay/other/nftables/50-quay.nft b/cookbooks/quay/other/nftables/50-quay.nft
new file mode 100755
index 0000000..60b09f3
--- /dev/null
+++ b/cookbooks/quay/other/nftables/50-quay.nft
@@ -0,0 +1,7 @@
+#!/usr/sbin/nft -f
+
+# Lego listens on port 80 and Quay on port 8443
+add rule inet itix-fw input tcp dport { 80, 8443 } counter accept
+
+# Redirect port 443 to 8443 (Quay)
+add rule inet itix-nat prerouting tcp dport 443 counter redirect to 8443