diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml
index efb0871..8f4bd8f 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml
@@ -5,6 +5,17 @@
       - distribution
       - virtualization_type
 
+- name: get supervisor IP address
+  ansible.builtin.shell: "echo $SSH_CLIENT | tr -s '[:blank:]' ' ' | cut -d ' ' -f 1"
+  register: ssh_client
+  changed_when: false
+  failed_when: ssh_client.stdout is falsy
+
+- name: set fact
+  ansible.builtin.set_fact:
+    supervisor_ip: "{{ ssh_client.stdout }}"
+  changed_when: false
+
 - name: install and configure nftables
   when: security.firewall.enable is truthy
   become: true
@@ -33,9 +44,6 @@
         src: "../templates/system/{{ ansible_facts['distribution'] | lower }}/nftables.conf.j2"
         dest: /etc/nftables.conf
         mode: '0700'
-      vars:
-        controller_ip: "{{ lookup('pipe', '/bin/dig +short A $(/usr/bin/hostname -f)') }}"
-        controller_ip6: "{{ lookup('pipe', '/bin/dig +short AAAA $(/usr/bin/hostname -f)') }}"
 
     - name: common firewall rules
       ansible.builtin.template:
diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2
index 3062e50..56dc07b 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2
@@ -2,8 +2,8 @@
 
 flush ruleset
 
-define ansible_controller_ip = {{ controller_ip | default('127.0.0.1', true) }}
-define ansible_controller_ip6 = {{ controller_ip6 | default('fe80::', true) }}
+define ansible_controller_ip = {{ supervisor_ip | default('127.0.0.1', true) }}
+define ansible_controller_ip6 = {{ supervisor_ipp6 | default('fe80::', true) }}
 define dns_server = {{ dns_server | default('9.9.9.9', true) }}
 define dns_server6 = {{ dns_server | default('2620:fe::fe', true) }}
 define private_nets = {