@@ -154,6 +154,68 @@ Ensure the following requirements are met:
154154 appliances.
155155
156156
157+ .. _ssh-service-reqs :
158+
159+ SSH service requirements
160+ ========================
161+
162+ A running SSH service is not strictly required by NS8 unless a
163+ :ref: `subscription <subscription-section >` is active. In this case,
164+ ``sshd `` must be listening on the standard TCP port 22 to correctly
165+ integrate with the remote support service.
166+
167+ If you want to change the public SSH port, configure a port redirect
168+ without altering the ``sshd `` listening port configuration. See
169+ :ref: `ssh-redirection ` for instructions.
170+
171+ .. _external-services :
172+
173+ External network connectivity
174+ =============================
175+
176+ A NethServer 8 (NS8) node requires outbound network connectivity to a
177+ number of external services to operate correctly. These services are used
178+ for system updates, application distribution, cluster operations,
179+ subscription management, backup, support, and TLS certificate issuance.
180+
181+ Unless otherwise stated, connections are outbound only and use HTTPS
182+ over TCP port 443.
183+
184+ .. csv-table :: External services and endpoints required by NS8
185+ :header: "Purpose", "Host name", "Port", "Protocol", "Notes"
186+
187+ "Name resolution", "<DNS address>", "53", "UDP/TCP", "Public or private DNS address"
188+ "Cluster VPN and node communication", "<leader node address>", "55820", "TCP", "Inter-node VPN and cluster traffic"
189+ "Cluster-admin leader API", "<leader node address>", "443", "HTTPS", "Join a new worker to the cluster"
190+ "OS and NS8 repositories mirror resolution", "mirrorlist.nethserver.org", "80", "HTTP", "Used to resolve Rocky Linux and NS8 mirrors"
191+ "Rocky Linux DNF repositories", "u4.nethesis.it, u5.nethesis.it", "443", "HTTPS", "Rocky Linux BaseOS and AppStream updates"
192+ "TLS certificate issuance", "acme-v02.api.letsencrypt.org", "443", "HTTPS", "Let's Encrypt ACME v2 endpoint"
193+ "NS8 core and updates repository", "distfeed.nethserver.org", "443", "HTTPS", "Core updates and patches"
194+ "Community application repository", "forge.nethserver.org", "443", "HTTPS", "Optional community modules"
195+ "Container image registry", "ghcr.io", "443", "HTTPS", "Official NS8 application and container images"
196+ "Container image registry", "docker.io", "443", "HTTPS", "Third-party container images"
197+ "Container image registry", "quay.io", "443", "HTTPS", "Third-party container images"
198+ "Cluster phone-home service", "phonehome.nethserver.org", "443", "HTTPS", "Cluster registration and metadata"
199+
200+ .. csv-table :: Endpoints used by cluster leader node with an active Subscription
201+ :header: "Purpose", "Host name", "Port", "Protocol", "Notes"
202+
203+ "Subscription validation and feeds", "subscription.nethserver.com", "443", "HTTPS", "Core updates and patches for Subscription"
204+ "Subscription portal", "my.nethserver.com", "443", "HTTPS", "System and subscription management"
205+ "Subscription portal for resellers", "my.nethesis.it", "443", "HTTPS", "Inventory, heartbeat, entitlement checks"
206+ "Support VPN peer", "sos.nethesis.it", "1194", "UDP", "Remote support VPN (optional)"
207+ "Support VPN peer", "sos.nethesis.it", "443", "TCP", "Remote support VPN (optional)"
208+ "Cloud backup service", "backupd.nethesis.it", "443", "HTTPS", "Off-site backup and restore for cluster configuration"
209+
210+ Notes
211+
212+ * All listed connections are initiated by the NS8 node.
213+ * Blocking access to these services can prevent updates, application
214+ installation, backups, cluster formation, or subscription validation.
215+ * Additional outbound connections may be required by specific
216+ applications, depending on their configuration and upstream services.
217+
218+
157219Web browser requirements
158220========================
159221
0 commit comments