diff --git a/ansible/files/hetzner_server_nftables.conf.j2 b/ansible/files/hetzner_server_nftables.conf.j2
index 19e50b1ad..191d08d77 100644
--- a/ansible/files/hetzner_server_nftables.conf.j2
+++ b/ansible/files/hetzner_server_nftables.conf.j2
@@ -53,6 +53,9 @@ table ip nat {
   }
   chain POSTROUTING {
     type nat hook postrouting priority 100;
+
+    ip saddr 192.168.122.0/24 ip daddr 192.168.122.0/24 oifname virbr0 counter masquerade comment "hairpin NAT for ingress"
+
     oifname != docker0 ip saddr 172.17.0.0/16 counter masquerade
     oifname $INF_WAN counter masquerade comment "masquerade outgoing traffic"
   }
diff --git a/offline/docs_ubuntu_22.04.md b/offline/docs_ubuntu_22.04.md
index 68dbfd303..dbdcf16c3 100644
--- a/offline/docs_ubuntu_22.04.md
+++ b/offline/docs_ubuntu_22.04.md
@@ -837,6 +837,12 @@ Set your domain name with sed:
 sed -i "s/example.com/YOURDOMAINHERE/" values/nginx-ingress-services/values.yaml
 ```
 
+TODO: newer cert-manager release no longer installs CRDs with `installCRDs=true`, `crds.enabled=true` is the new standard, but that one is also failing during install. Install CRDs manually with:
+
+```
+d kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml
+```
+
 Install `cert-manager` into a new namespace `cert-manager-ns`.
 ```
 d kubectl create namespace cert-manager-ns
diff --git a/values/wire-server/demo-secrets.example.yaml b/values/wire-server/demo-secrets.example.yaml
index 8a47a055d..d1d7942de 100644
--- a/values/wire-server/demo-secrets.example.yaml
+++ b/values/wire-server/demo-secrets.example.yaml
@@ -6,6 +6,7 @@ elasticsearch-index:
       password: changeme
 brig:
   secrets:
+    pgPassword: verysecurepassword
     smtpPassword: dummyPassword
     zAuth:
       # generate zauth public/private keys with the 'zauth' executable from wire-server:
diff --git a/values/wire-server/prod-secrets.example.yaml b/values/wire-server/prod-secrets.example.yaml
index 284032d0c..0dd134fcf 100644
--- a/values/wire-server/prod-secrets.example.yaml
+++ b/values/wire-server/prod-secrets.example.yaml
@@ -3,7 +3,6 @@ brig:
   secrets:
     #retrieve postgresql password from Kubernetes Secret with "kubectl get secret wire-postgresql-external-secret -n default -o jsonpath='{.data.password}' | base64 -d"
     pgPassword: verysecurepassword
-
     smtpPassword: dummyPassword
     zAuth:
       # generate zauth public/private keys with the 'zauth' executable from wire-server: