The offer/permission push between linked cells never worked end-to-end. Two
fixes complete the transport (the push already targets the remote over the WG
tunnel; fix#3 earlier pointed it at HTTPS):
1. The slim WireGuard image (where the push originates — the only namespace with
routes to remote-cell VPN subnets) had no TLS-capable HTTP client (busybox
wget lacks TLS, no curl). Add curl + ca-certificates (~5MB).
2. The receiving cell's cell-link firewall allowed the linked subnet to reach
cell-api:3000 — a dead path (the API binds 127.0.0.1 only; nothing DNATs
:3000). Move the peer-sync ACCEPT to Caddy:443, which the WG server already
DNATs (wg0:443 → Caddy → cell-api) and whose replies the existing
`-o eth0 MASQUERADE` routes back through the tunnel. Source auth (cell VPN
subnet via X-Forwarded-For) is preserved; the API stays 127.0.0.1-only.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
roof
714fb9b1a9