From 20b5d96686a2c29a40b8890b1c38b64894c4f8d3 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 00:07:01 +1000
Subject: [PATCH] containers/fluorite: socks5 via tailscale

---
 containers/fluorite/configuration.nix |  16 +++++++++++++++-
 containers/fluorite/flake.nix         |   7 ++++++-
 hosts/alyssum/default.nix             |   1 +
 hosts/dandelion/default.nix           |   1 -
 modules/system/tailscale.nix          |  11 +++++++++++
 secrets/slskd_env.age                 | Bin 765 -> 849 bytes
 6 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix
index 9fcb5f5..002c2f0 100644
--- a/containers/fluorite/configuration.nix
+++ b/containers/fluorite/configuration.nix
@@ -1,16 +1,30 @@
 { ... }: {
   system.stateVersion = "25.11";
   systemd.tmpfiles.rules = [
-    "d /persist/slskd/Downloads 755 slskd slskd"
+    "d /persist/slskd/downloads 755 slskd slskd"
   ];
   fileSystems."/var/lib/slskd" = {
     device = "/persist/slskd";
     fsType = "none";
     options = [ "bind" ];
   };
+  fileSystems."/var/lib/tailscale" = {
+    device = "/persist/tailscale";
+    fsType = "none";
+    options = [ "bind" ];
+  };
   networking.firewall.allowedTCPPorts = [ 5030 50300 ];
   networking.firewall.allowedUDPPorts = [ 5030 50300 ];
 
+  services.tailscale = {
+    enable = true;
+    authKeyFile = "/binds/tailscale_auth";
+    openFirewall = true;
+    interfaceName = "userspace-networking";
+    extraDaemonFlags = [ "--socks5-server=localhost:1055" ];
+    extraUpFlags = [ "--exit-node=dandelion" ];
+  };
+
   services.slskd = {
     enable = true;
     domain = null;
diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix
index 746c702..25e43f6 100644
--- a/containers/fluorite/flake.nix
+++ b/containers/fluorite/flake.nix
@@ -20,7 +20,7 @@
       ./configuration.nix
       {
         networking.useHostResolvConf = false;
-        networking.nameservers = [ host ];
+        networking.nameservers = [ 8.8.8.8 ];
       }
     ];
   in {
@@ -97,6 +97,11 @@
           mountPoint = "/binds/slskd_env";
           isReadOnly = true;
         };
+        bindMounts."tailscale_auth" = {
+          hostPath = config.age.secrets.tailscale_auth.path;
+          mountPoint = "/binds/tailscale_auth";
+          isReadOnly = true;
+        };
         # flake = "path:" + ./.;
       };
     };
diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix
index 8af107d..9db08f5 100644
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@@ -28,6 +28,7 @@
     modules.services.soulbeet
     modules.services.syncthing
 
+    inputs.c-fluorite.nixosModule
     inputs.c-garnet.nixosModule
 
     ./filesystem.nix
diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix
index 33b6eec..540008d 100644
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@@ -32,7 +32,6 @@
     inputs.c-citrine.nixosModule
     inputs.c-diamond.nixosModule
     inputs.c-emerald.nixosModule
-    inputs.c-fluorite.nixosModule
 
     ./filesystem.nix
     ./kernel.nix
diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix
index 5e3e044..4e16aac 100644
--- a/modules/system/tailscale.nix
+++ b/modules/system/tailscale.nix
@@ -4,6 +4,17 @@
   networking.firewall.trustedInterfaces = [ "tailscale0" ];
   networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ];
 
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "tailscaled0" ];
+    forwardPorts = [
+      {
+        sourcePort = 50300;
+        proto = "tcp";
+        destination = "100.67.2.101:50300";
+      }
+    ];
+  };
   services.tailscale = {
     enable = true;
     authKeyFile = config.age.secrets.tailscale_auth.path;
diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age
index 287ef9b7bf3926a3064436a41d6f2174aa7c3d17..f5bc05ea67ec338add401fa62d642f5dbfe090cd 100644
GIT binary patch
delta 779
zcmey%dXa5{PQ7VqqQ9w^pTE07c%{2#QchW_QBp}&NqI(*S#X%MYm#}eagj+>kz+=l
zFPBGhQdydRlBr3hL2kZRdTDq@fKf$7fw#U<iIHPvc(`$)QI17nS-F{?FPE;JLUD11
zZfc5=si~o*LViYNaEYUWzN?{6kbZG`xxZ14nSY*PnVWY-nvZ{!vzK3Hu|YttWr25Y
zWsbX%qk(}1mveGXu2HUmqibbZk-mj{U}TnOh*6l2MP5*4W|3KGd194!aAcuVV3l9-
z#E;_P+Wtw}MFt*WM#<%29#L*imijrC`T^RNDFJC79tK&3CWgjd8OfokrD5e<+D4Ur
zo{>RORXHxD+0KQgp#^E-m5!!?1(9Ky=D}_zCW&4i`eo+9xxucJ;~B;4U9x;Ua;i+C
zic)e)k_wzdOPwPEeR9$YytB>H{lk;etCEwP1HFUIOdKt^LW526d<>GST$9qxwF_Jl
zJ)A9yLws|cqs-mH-ApWV!?FVmBhyO4^<6BubaizVQVorb9JPZ@1G7_&5{(m`&0RBG
zlPwJj{M=mA+|%6M^$jiSEz6@yvO=p&xKz*H_4M5q6XaUlA?dne(W;5NtrzUil@%Ah
zu<PbFw^Fm(8S8duPTNti!~d<O4Rhq2MV7q%K6SYUUsv4M+^{12=$Edg52NI_nMAr-
zd8JO24!21Y+MRmaHg;Lq+@h@WAG`#AJn%1O`?brW&rd47C!m^h+N{)NQuY3#M}NjW
z-u+QK*~h;@ZQrj-o=1-t@?0$6&BL(fUrkj&dQck6rp;f!^(Fs3`D)$$$JrPE>G^%G
zGJWpxXya1t<YPahY7bfMd-<f?=kN1rnH+2DByULvuiLx-e1^-_(8-?rrM^2#Xe>Lf
z$GFVx;rc~e-%76LX8*FeByn-E-?1s)v*RL!BTr1Lc&Humf3CBq;g^e-COq51lb;g1
zzgs}lyvteZT&}(sXX;fx7Yn_jdogDxe5+cYJ=G^XA!%cUsIrbh*$IQ+yZ*B%*Tp<|
Z_&dAxwdkW#o__)vRyn0h1X<V*0RWj(HIo1U

delta 695
zcmcb}_Lp^nPQ6J=c5p$YPibM1d$^0Ezj35vR&G*YrDJKHk3pr2hjvkVl4nJMiMPL-
zFPFB7MTvf9WMra|QDupzZ$yrVrG9X_w}(eqaISBnzkzp-OKM_HWm#mg374*&LUD11
zZfc5=si~o*LViYNaEYTrNoa+kuS-sZXQ+N!m_bgkg`1yyrhBNfuW6b^W@$lcxq+u^
zXmEf<WU)ayms^2FQbj>!sJp*WU}iyXv5!YsmVsBUxo3H4s(Dmcg^PYrps7=oQKgT;
z#E;_PCKW!p-oaUk0eR-d$&q=M1wN@ImQMMV1|c~~dBqlm9#!7Oo<(6%Rql>l5pI!z
zQI^@RA<hBrCcy@2<(1l==21>r&f#w9xs_QN29epGCRr)2;hFi9;~B;4t0D`tEUK~!
zjY5Jl^^4OYgWW3%!b*(tg7Zz>EewNwy%I}Y4YEwV6J1@oyn?;;Lqe0?(=9535+g%Q
zjPlJ&JhB3_$}2K0-E+e%^i%zfGg92#$_hQXbaizV%!0j~(h42J-TXWPO*|ti%#2Mf
z6GH<Gb3;l>i_)`7gG*BD1JjHA-K$d4x$d56*(q19Z?`-<RO?jG#gux7=KO{I5n8Jw
zkBivea80*Av*d8hu{B3F3;fvrOSyoJsUz~fSkbhmH(x?GJ-b%ZP%~>W&+#)^>vkNR
z%k3OGb?Rv;xg%m4*5}&}gy<iZ3b%ggp5wo0YRAkC-rBmYC3Vl#pO$yoFRA}ISI{Cn
zCDrIU-xC!(-QL6*hb}CCYd@v**#87I_LudYi~q;_JI$OQ$fSEb<oavY#p~>u_r@79
zPHg$zpV@UR>AQ-QY1^zku`jN5Ejyb%AADTZ8at_MwPfs9m3dEfGNQ|xdsa8pJ~yy%
o5S?xR{eqakob$DEC9fwh#V6go>b$><t5{2G^WTM!Cr8}^03nAD4FCWD