From cf94f5b9b783ea4b557311722a1e343376b5bb6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20J=C3=B6rg?= <moritz.jorg@oceanbox.io>
Date: Tue, 10 Feb 2026 12:05:38 +0100
Subject: [PATCH] fix(cilium+hs): Back to lb for ssh

---
 .../policies/allow-ingress-to-cluster.yaml    | 19 +++++++++++++++++++
 values/headscale/values/values.yaml           |  2 +-
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 values/cilium/cilium-manifests/policies/allow-ingress-to-cluster.yaml

diff --git a/values/cilium/cilium-manifests/policies/allow-ingress-to-cluster.yaml b/values/cilium/cilium-manifests/policies/allow-ingress-to-cluster.yaml
new file mode 100644
index 00000000..ddbdbfb4
--- /dev/null
+++ b/values/cilium/cilium-manifests/policies/allow-ingress-to-cluster.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-ingress-to-cluster
+  namespace: default
+spec:
+  endpointSelector:
+    matchExpressions:
+      - key: reserved:ingress
+        operator: Exists
+  egress:
+    - toEntities:
+        - cluster
+  ingress:
+    - fromEntities:
+        - world
+        - cluster
+{{- end }}
diff --git a/values/headscale/values/values.yaml b/values/headscale/values/values.yaml
index e97790e4..1497c25f 100644
--- a/values/headscale/values/values.yaml
+++ b/values/headscale/values/values.yaml
@@ -302,7 +302,7 @@ configMaps:
            { "name": "slurm-agent.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
 
            { "name": "git.obx", "type": "A", "value": "10.0.1.9" },
-           { "name": "git.oceanbox.io", "type": "A", "value": "10.0.1.9" },
+           { "name": "git.oceanbox.io", "type": "A", "value": "10.0.1.3" },
 
            { "name": "kueue.dev.tos.obx", "type": "A", "value": "10.255.241.99" },