From fa3872647d0f514942f449ffd0cb4cb4aa888423 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Mon, 16 Mar 2026 03:40:35 +1100
Subject: [PATCH] containers/citrine: forward ssh

---
 containers/citrine/flake.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix
index 72ff573..4326ff7 100644
--- a/containers/citrine/flake.nix
+++ b/containers/citrine/flake.nix
@@ -18,6 +18,16 @@
       name = "citrine";
       subnet = "3";
     in {
+      # TODO: this is likely dandelion specific
+      networking.firewall.extraCommands = ''
+        ip6tables -t nat -A PREROUTING -d fd0d::1:1003 -p tcp --dport 22 -j DNAT --to-destination fd0d:1::${subnet}:2
+        ip6tables -t nat -A POSTROUTING -d fd0d:1::${subnet}:2 -p tcp --dport 22 -j SNAT --to-source fd0d::1:1003
+      '';
+      networking.firewall.extraStopCommands = ''
+        ip6tables -t nat -D PREROUTING -d fd0d::1:1003 -p tcp --dport 22 -j DNAT --to-destination fd0d:1::${subnet}:2 || true
+        ip6tables -t nat -D POSTROUTING -d fd0d:1::${subnet}:2 -p tcp --dport 22 -j SNAT --to-source fd0d::1:1003 || true
+      '';
+
       services.nginx.virtualHosts."garden.lava.moe" = {
         useACMEHost = "lava.moe";
         forceSSL = true;