@olivierlambert That worked! I now have templates available.
@planedrop and @karlisi what I ended up doing was enabling outbound access from the Management network to two things:
- Port 53 on my pihole DNS
- A set of IP addresses on the Internet that are where XCP-ng, Fedora, Ubuntu, and others host their repositories.
So long as these resources stay secure, I can now run updates against them. No other outbound access is enabled, and inbound continues to be completely blocked.