diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix
index 9fcb5f5..67dc279 100644
--- a/containers/fluorite/configuration.nix
+++ b/containers/fluorite/configuration.nix
@@ -1,22 +1,42 @@
 { ... }: {
   system.stateVersion = "25.11";
   systemd.tmpfiles.rules = [
-    "d /persist/slskd/Downloads 755 slskd slskd"
+    "d /persist/slskd/downloads 755 slskd slskd"
   ];
   fileSystems."/var/lib/slskd" = {
     device = "/persist/slskd";
     fsType = "none";
     options = [ "bind" ];
   };
+  fileSystems."/var/lib/tailscale" = {
+    device = "/persist/tailscale";
+    fsType = "none";
+    options = [ "bind" ];
+  };
   networking.firewall.allowedTCPPorts = [ 5030 50300 ];
   networking.firewall.allowedUDPPorts = [ 5030 50300 ];
 
+  services.tailscale = {
+    enable = true;
+    authKeyFile = "/binds/tailscale_auth";
+    openFirewall = true;
+    # interfaceName = "userspace-networking";
+    # extraDaemonFlags = [ "--socks5-server=localhost:1055" ];
+    extraSetFlags = [ "--exit-node=100.67.1.1" ];
+    useRoutingFeatures = "client";
+  };
+
   services.slskd = {
     enable = true;
     domain = null;
     environmentFile = "/binds/slskd_env";
     settings = {
       shares.directories = [ "/binds/music/" ];
+      # soulseek.connection.proxy = {
+      #   enabled = true;
+      #   address = "localhost";
+      #   port = "1055";
+      # };
     };
   };
 }
diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix
index 33fcdb1..5b9d4d1 100644
--- a/containers/fluorite/flake.nix
+++ b/containers/fluorite/flake.nix
@@ -16,18 +16,27 @@
     host4 = subnet4 1;
     client4 = subnet4 2;
 
+    clientTun = "100.67.2.101";
+
     modules = [
       ./configuration.nix
       {
         networking.useHostResolvConf = false;
-        networking.nameservers = [ host ];
+        networking.nameservers = [ "8.8.8.8" ];
       }
     ];
   in {
     nixosConfigurations.container = nixpkgs.lib.nixosSystem {
       inherit modules;
     };
-    nixosModule = { config, ... }: {
+    nixosModule = { config, ... }: let
+      hostfqdn = "${config.networking.hostName}.lava.moe";
+      altfqdn = "fluorite.${hostfqdn}";
+      # TODO: HACK
+      listenAddr = if (config.networking.hostName == "alyssum")
+        then [ "100.67.2.1" ]
+        else [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
+    in {
       networking.nat = {
         enable = true;
         enableIPv6 = true;
@@ -38,8 +47,16 @@
       services.nginx.virtualHosts."${fqdn}" = {
         useACMEHost = "lava.moe";
         forceSSL = true;
-        locations."/".proxyPass = "http://[${client}]:5030";
-        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
+        locations."/".proxyPass = "http://${clientTun}:5030";
+        listenAddresses = listenAddr;
+      };
+
+      security.acme.certs.${hostfqdn} = { extraDomainNames = [ "*.${hostfqdn}" ]; };
+      services.nginx.virtualHosts."${altfqdn}" = {
+        useACMEHost = hostfqdn;
+        forceSSL = true;
+        locations."/".proxyPass = "http://${clientTun}:5030";
+        listenAddresses = listenAddr;
       };
 
       systemd.tmpfiles.rules = [
@@ -49,6 +66,7 @@
       containers.${name} = {
         autoStart = true;
         privateNetwork = true;
+        enableTun = true;
         hostAddress = host4;
         localAddress = client4;
         hostAddress6 = host;
@@ -82,6 +100,11 @@
           mountPoint = "/binds/slskd_env";
           isReadOnly = true;
         };
+        bindMounts."tailscale_auth" = {
+          hostPath = config.age.secrets.tailscale_auth.path;
+          mountPoint = "/binds/tailscale_auth";
+          isReadOnly = true;
+        };
         # flake = "path:" + ./.;
       };
     };
diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix
index 3eb7289..9db08f5 100644
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@@ -5,6 +5,7 @@
 
   age.secrets = {
     acme_dns.file = ../../secrets/acme_dns.age;
+    slskd_env.file = ../../secrets/slskd_env.age;
     wpa_conf = {
       file = ../../secrets/wpa_conf.age;
       path = "/etc/wpa_supplicant/imperative.conf";
@@ -24,8 +25,10 @@
     tailscale
 
     modules.services.nginx
+    modules.services.soulbeet
     modules.services.syncthing
 
+    inputs.c-fluorite.nixosModule
     inputs.c-garnet.nixosModule
 
     ./filesystem.nix
diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix
index 33b6eec..540008d 100644
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@@ -32,7 +32,6 @@
     inputs.c-citrine.nixosModule
     inputs.c-diamond.nixosModule
     inputs.c-emerald.nixosModule
-    inputs.c-fluorite.nixosModule
 
     ./filesystem.nix
     ./kernel.nix
diff --git a/modules/default.nix b/modules/default.nix
index 6775c55..c52cde3 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -22,6 +22,7 @@ in {
     ./services/nginx.nix
     ./services/postgres.nix
     ./services/sonarr.nix
+    ./services/soulbeet.nix
     ./services/synapse.nix
     ./services/syncthing.nix
     ./services/tmptsync.nix
diff --git a/modules/services/soulbeet.nix b/modules/services/soulbeet.nix
new file mode 100644
index 0000000..57b7cc0
--- /dev/null
+++ b/modules/services/soulbeet.nix
@@ -0,0 +1,32 @@
+{ ... }:
+let
+  dir_data = "/persist/services/soulbeet/data";
+  dir_downloads = "/persist/containers/fluorite/slskd/downloads";
+  dir_music = "/persist/media/music";
+in {
+  systemd.tmpfiles.rules = [
+    "d ${dir_data} 700 root root"
+    "d ${dir_downloads} 755 root users"
+    "d ${dir_music} 075 nobody users"
+  ];
+  virtualisation.oci-containers.backend = "docker";
+  virtualisation.oci-containers.containers = {
+    container-name = {
+      image = "docker.io/docccccc/soulbeet:latest";
+      autoStart = true;
+      ports = [ "9765:9765" ];
+      environment = {
+        DATABASE_URL = "sqlite:/data/soulbeet.db";
+        DOWNLOAD_PATH = "/downloads";
+        SECRET_KEY = "change-me-in-production";
+        NAVIDROME_URL = "http://navidrome:4533";
+        BEETS_CONFIG = "/config/config.yaml";
+      };
+      volumes = [
+        "${dir_data}:/data"
+        "${dir_downloads}:/downloads"
+        "${dir_music}:/music"
+      ];
+    };
+  };
+}
diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix
index 5e3e044..fe0e8bb 100644
--- a/modules/system/tailscale.nix
+++ b/modules/system/tailscale.nix
@@ -4,6 +4,19 @@
   networking.firewall.trustedInterfaces = [ "tailscale0" ];
   networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ];
 
+  networking.nat = lib.mkIf (config.networking.hostName == "dandelion") {
+    enable = true;
+    externalInterface = "enp0s6";
+    internalInterfaces = [ "tailscale0" ];
+    forwardPorts = [
+      {
+        sourcePort = 50300;
+        proto = "tcp";
+        destination = "100.67.2.101:50300";
+      }
+    ];
+  };
+  networking.firewall.allowedTCPPorts = [ 50300 ];
   services.tailscale = {
     enable = true;
     authKeyFile = config.age.secrets.tailscale_auth.path;
diff --git a/secrets.nix b/secrets.nix
index d2dbc82..0c9c9b2 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -12,7 +12,7 @@ in {
 
   "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ];
   "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ];
-  "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ];
+  "secrets/slskd_env.age".publicKeys = [ alyssum anemone dandelion rin ];
   "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ];
   "secrets/warden_admin.age".publicKeys = [ rin ];
   "secrets/wg_anemone.age".publicKeys = [ anemone rin ];
diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age
index eded5d0..4e7e23f 100644
Binary files a/secrets/slskd_env.age and b/secrets/slskd_env.age differ