From 3e02001544c0a9fade7e5172a407f8892b0b3386 Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Wed, 29 Apr 2026 08:48:45 -0400
Subject: [PATCH] Open postgres port for import role in DOCKER-USER firewall

When so-postgres was wired in (868cd1187), the import role's firewall
defaults were missed while every other manager-class role (manager,
managerhype, managersearch, standalone, eval) had postgres added to
their DOCKER-USER manager-hostgroup portgroups. As a result, on a
fresh import install the so-postgres container starts but tcp/5432 is
dropped at DOCKER-USER, so soc/kratos/telegraf can't reach it.

Add postgres alongside the existing influxdb entry so import nodes
match the other roles.
---
 salt/firewall/defaults.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml
index e9c82401d..9d0af3d0d 100644
--- a/salt/firewall/defaults.yaml
+++ b/salt/firewall/defaults.yaml
@@ -1482,6 +1482,7 @@ firewall:
                 - kibana
                 - redis
                 - influxdb
+                - postgres
                 - elasticsearch_rest
                 - elasticsearch_node
                 - elastic_agent_control