diff --git a/inventory/group_vars/openqa_tap_workers b/inventory/group_vars/openqa_tap_workers
index da19fe33c0..ce47cd9e0b 100644
--- a/inventory/group_vars/openqa_tap_workers
+++ b/inventory/group_vars/openqa_tap_workers
@@ -5,12 +5,9 @@ openqa_tap: true
 host_group: openqa-tap-workers
 
 # firewall rules to allow openQA openvswitch guests to communicate
-# eth0 for older x86_64 worker hosts, eth2 for ppc64 worker host,
-# em3 for newer x86_64 worker hosts
+# uses interface definition from host vars
 custom_rules: [
     '-A FORWARD -i br0 -j ACCEPT',
-    '-A FORWARD -m state -i eth0 -o br0 --state RELATED,ESTABLISHED -j ACCEPT',
-    '-A FORWARD -m state -i eth2 -o br0 --state RELATED,ESTABLISHED -j ACCEPT',
-    '-A FORWARD -m state -i em3 -o br0 --state RELATED,ESTABLISHED -j ACCEPT',
+    '-A FORWARD -m state -i {{ openqa_tap_iface }} -o br0 --state RELATED,ESTABLISHED -j ACCEPT',
     '-A INPUT -i br0 -j ACCEPT'
 ]
diff --git a/inventory/host_vars/openqa-aarch64-01.arm.fedoraproject.org b/inventory/host_vars/openqa-aarch64-01.arm.fedoraproject.org
index febefdd86d..5ca295a4e5 100644
--- a/inventory/host_vars/openqa-aarch64-01.arm.fedoraproject.org
+++ b/inventory/host_vars/openqa-aarch64-01.arm.fedoraproject.org
@@ -17,11 +17,13 @@ sudoers: "{{ private }}/files/sudo/qavirt-sudoers"
 # openQA tap worker hosts (like this one) do stuff with ifcfg that base
 # doesn't understand. terrible, terrible stuff. seriously - it doesn't
 # handle the openvswitch config well. so let's tell it to just configure
-# the regular interfaces (which on this system is eth0-eth3) for us,
-# disabling all but the one we want to use (eth2), and leave everything
-# else alone.
-ansible_ifcfg_whitelist: ['eth3']
-ansible_ifcfg_disabled: ['eth0', 'eth1', 'eth2']
+# the regular interfaces (which on this system is eth0-eth2) for us,
+# disabling all but the one we want to use (eth0), and leave everything
+# else alone. We use a variable definition here so the firewall config
+# (in the openqa_tap_workers group_vars) can reuse it.
+openqa_tap_iface: eth0
+ansible_ifcfg_whitelist: [{{ openqa_tap_iface }}, 'eth1', 'eth2']
+ansible_ifcfg_disabled: ['eth1', 'eth2']
 
 # this is a powerful machine, can handle more openQA workers
 openqa_workers: 8
diff --git a/inventory/host_vars/openqa-aarch64-02.arm.fedoraproject.org b/inventory/host_vars/openqa-aarch64-02.arm.fedoraproject.org
index 10f1dfbb22..f83e4f17e6 100644
--- a/inventory/host_vars/openqa-aarch64-02.arm.fedoraproject.org
+++ b/inventory/host_vars/openqa-aarch64-02.arm.fedoraproject.org
@@ -14,15 +14,6 @@ nrpe_procs_crit: 300
 
 sudoers: "{{ private }}/files/sudo/qavirt-sudoers"
 
-# openQA tap worker hosts (like this one) do stuff with ifcfg that base
-# doesn't understand. terrible, terrible stuff. seriously - it doesn't
-# handle the openvswitch config well. so let's tell it to just configure
-# the regular interfaces (which on this system is eth0-eth3) for us,
-# disabling all but the one we want to use (eth2), and leave everything
-# else alone.
-ansible_ifcfg_whitelist: ['eth3']
-ansible_ifcfg_disabled: ['eth0', 'eth1', 'eth2']
-
 # this is a powerful machine, can handle more openQA workers
 openqa_workers: 8
 # firewall ports for server->worker websockets connections
diff --git a/inventory/host_vars/openqa-aarch64-03.arm.fedoraproject.org b/inventory/host_vars/openqa-aarch64-03.arm.fedoraproject.org
index cfb598d645..f2d6e06d11 100644
--- a/inventory/host_vars/openqa-aarch64-03.arm.fedoraproject.org
+++ b/inventory/host_vars/openqa-aarch64-03.arm.fedoraproject.org
@@ -14,15 +14,6 @@ nrpe_procs_crit: 300
 
 sudoers: "{{ private }}/files/sudo/qavirt-sudoers"
 
-# openQA tap worker hosts (like this one) do stuff with ifcfg that base
-# doesn't understand. terrible, terrible stuff. seriously - it doesn't
-# handle the openvswitch config well. so let's tell it to just configure
-# the regular interfaces (which on this system is eth0-eth3) for us,
-# disabling all but the one we want to use (eth2), and leave everything
-# else alone.
-ansible_ifcfg_whitelist: ['eth3']
-ansible_ifcfg_disabled: ['eth0', 'eth1', 'eth2']
-
 # this is a powerful machine, can handle more openQA workers
 openqa_workers: 8
 # firewall ports for server->worker websockets connections
diff --git a/inventory/host_vars/openqa-aarch64-04.arm.fedoraproject.org b/inventory/host_vars/openqa-aarch64-04.arm.fedoraproject.org
index df49f004e9..925fb8ecad 100644
--- a/inventory/host_vars/openqa-aarch64-04.arm.fedoraproject.org
+++ b/inventory/host_vars/openqa-aarch64-04.arm.fedoraproject.org
@@ -12,15 +12,6 @@ nrpe_procs_crit: 300
 
 sudoers: "{{ private }}/files/sudo/qavirt-sudoers"
 
-# openQA tap worker hosts (like this one) do stuff with ifcfg that base
-# doesn't understand. terrible, terrible stuff. seriously - it doesn't
-# handle the openvswitch config well. so let's tell it to just configure
-# the regular interfaces (which on this system is eth0-eth3) for us,
-# disabling all but the one we want to use (eth2), and leave everything
-# else alone.
-ansible_ifcfg_whitelist: ['eth0', 'eth1', 'eth2', 'eth3']
-ansible_ifcfg_disabled: ['eth2', 'eth1', 'eth3']
-
 # this is a powerful machine, can handle more openQA workers
 openqa_workers: 8
 # firewall ports for server->worker websockets connections
diff --git a/inventory/host_vars/openqa-ppc64le-02.qa.fedoraproject.org b/inventory/host_vars/openqa-ppc64le-02.qa.fedoraproject.org
index e8b1246582..e82a93a8e3 100644
--- a/inventory/host_vars/openqa-ppc64le-02.qa.fedoraproject.org
+++ b/inventory/host_vars/openqa-ppc64le-02.qa.fedoraproject.org
@@ -18,8 +18,10 @@ sudoers: "{{ private }}/files/sudo/qavirt-sudoers"
 # handle the openvswitch config well. so let's tell it to just configure
 # the regular interfaces (which on this system is eth0-eth3) for us,
 # disabling all but the one we want to use (eth2), and leave everything
-# else alone.
-ansible_ifcfg_whitelist: ['eth0', 'eth1', 'eth2', 'eth3']
+# else alone. We use a variable definition here so the firewall config
+# (in the openqa_tap_workers group_vars) can reuse it.
+openqa_tap_iface: eth2
+ansible_ifcfg_whitelist: ['eth0', 'eth1', {{ openqa_tap_iface }}, 'eth3']
 ansible_ifcfg_disabled: ['eth0', 'eth1', 'eth3']
 
 # this is a powerful machine, can handle more openQA workers
diff --git a/inventory/host_vars/qa01.qa.fedoraproject.org b/inventory/host_vars/qa01.qa.fedoraproject.org
index a2c145adf4..e65678b87d 100644
--- a/inventory/host_vars/qa01.qa.fedoraproject.org
+++ b/inventory/host_vars/qa01.qa.fedoraproject.org
@@ -17,8 +17,10 @@ gw: 10.5.124.254
 # handle the openvswitch config well. so let's tell it to just configure
 # the regular interfaces (which on this system is em1-4) for us,
 # disabling all but the one we want to use (em3), and leave everything
-# else alone.
-ansible_ifcfg_whitelist: ['em1', 'em2', 'em3', 'em4']
+# else alone. We use a variable definition here so the firewall config
+# (in the openqa_tap_workers group_vars) can reuse it.
+openqa_tap_iface: em3
+ansible_ifcfg_whitelist: ['em1', 'em2', {{ openqa_tap_iface }}, 'em4']
 ansible_ifcfg_disabled: ['em1', 'em2', 'em4']
 
 # Has a hardware RNG
diff --git a/inventory/host_vars/qa02.qa.fedoraproject.org b/inventory/host_vars/qa02.qa.fedoraproject.org
index 68b8a1da04..c30b4c07e4 100644
--- a/inventory/host_vars/qa02.qa.fedoraproject.org
+++ b/inventory/host_vars/qa02.qa.fedoraproject.org
@@ -17,8 +17,10 @@ gw: 10.5.124.254
 # handle the openvswitch config well. so let's tell it to just configure
 # the regular interfaces (which on this system is em1-4) for us,
 # disabling all but the one we want to use (em3), and leave everything
-# else alone.
-ansible_ifcfg_whitelist: ['em1', 'em2', 'em3', 'em4']
+# else alone. We use a variable definition here so the firewall config
+# (in the openqa_tap_workers group_vars) can reuse it.
+openqa_tap_iface: em3
+ansible_ifcfg_whitelist: ['em1', 'em2', {{ openqa_tap_iface }}, 'em4']
 ansible_ifcfg_disabled: ['em1', 'em2', 'em4']
 
 # Has a hardware RNG
diff --git a/inventory/inventory b/inventory/inventory
index 440bb78dce..25b29ee4bf 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -519,21 +519,19 @@ openqa-aarch64-01.arm.fedoraproject.org
 openqa-aarch64-02.arm.fedoraproject.org
 openqa-aarch64-03.arm.fedoraproject.org
 
-
-
 # the workers that can run networked jobs. each server should have *one* of these per arch
 [openqa_tap_workers]
 qa01.qa.fedoraproject.org
 qa02.qa.fedoraproject.org
 openqa-ppc64le-02.qa.fedoraproject.org
-aarch64-c26n1-oqa.arm.fedoraproject.org
+openqa-aarch64-01.arm.fedoraproject.org
 
 # the workers that need rw access to the factory share to run createhdds. again,
 # only one per arch per instance should be present. usually x86_64 images are created
 # on the server, images for other arches on a worker.
 [openqa_hdds_workers]
 openqa-ppc64le-02.qa.fedoraproject.org
-aarch64-c26n1-oqa.arm.fedoraproject.org
+openqa-aarch64-01.arm.fedoraproject.org
 qa01.qa.fedoraproject.org
 qa02.qa.fedoraproject.org