From c36a3f09dee81bded5256c546c64cc270c09f485 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 16 Jun 2026 23:02:43 +1000 Subject: [PATCH 01/20] services/soulbeet: init and add to alyssum --- containers/fluorite/flake.nix | 8 ++++++++ hosts/alyssum/default.nix | 2 ++ modules/default.nix | 1 + modules/services/soulbeet.nix | 32 ++++++++++++++++++++++++++++++++ 4 files changed, 43 insertions(+) create mode 100644 modules/services/soulbeet.nix diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 33fcdb1..8c87fac 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -6,6 +6,7 @@ let name = "fluorite"; fqdn = "fluorite.lava.moe"; + altfqdn = hostname: "fluorite.${hostname}.lava.moe"; subnetId = "6"; subnet = x: "fd0d:1::${subnetId}:${toString x}"; @@ -42,6 +43,13 @@ listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; }; + services.nginx.virtualHosts."${altfqdn config.networking.hostname}" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/".proxyPass = "http://[${client}]:5030"; + listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; + }; + systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" "d /persist/media/music 075 nobody users" diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 3eb7289..2deecfb 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -24,8 +24,10 @@ tailscale modules.services.nginx + modules.services.soulbeet modules.services.syncthing + inputs.c-fluorite.nixosModule inputs.c-garnet.nixosModule ./filesystem.nix diff --git a/modules/default.nix b/modules/default.nix index 6775c55..c52cde3 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -22,6 +22,7 @@ in { ./services/nginx.nix ./services/postgres.nix ./services/sonarr.nix + ./services/soulbeet.nix ./services/synapse.nix ./services/syncthing.nix ./services/tmptsync.nix diff --git a/modules/services/soulbeet.nix b/modules/services/soulbeet.nix new file mode 100644 index 0000000..57b7cc0 --- /dev/null +++ b/modules/services/soulbeet.nix @@ -0,0 +1,32 @@ +{ ... }: +let + dir_data = "/persist/services/soulbeet/data"; + dir_downloads = "/persist/containers/fluorite/slskd/downloads"; + dir_music = "/persist/media/music"; +in { + systemd.tmpfiles.rules = [ + "d ${dir_data} 700 root root" + "d ${dir_downloads} 755 root users" + "d ${dir_music} 075 nobody users" + ]; + virtualisation.oci-containers.backend = "docker"; + virtualisation.oci-containers.containers = { + container-name = { + image = "docker.io/docccccc/soulbeet:latest"; + autoStart = true; + ports = [ "9765:9765" ]; + environment = { + DATABASE_URL = "sqlite:/data/soulbeet.db"; + DOWNLOAD_PATH = "/downloads"; + SECRET_KEY = "change-me-in-production"; + NAVIDROME_URL = "http://navidrome:4533"; + BEETS_CONFIG = "/config/config.yaml"; + }; + volumes = [ + "${dir_data}:/data" + "${dir_downloads}:/downloads" + "${dir_music}:/music" + ]; + }; + }; +} From 4e19a6378b807c25a0335e46ab982c92aededdae Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 16 Jun 2026 23:04:02 +1000 Subject: [PATCH 02/20] containers/fluorite: hostname -> hostName --- containers/fluorite/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 8c87fac..c5a1391 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -43,7 +43,7 @@ listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; }; - services.nginx.virtualHosts."${altfqdn config.networking.hostname}" = { + services.nginx.virtualHosts."${altfqdn config.networking.hostName}" = { useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:5030"; From 0d89b2a64f09c679618a070a7e83000860d3c480 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 16 Jun 2026 23:07:25 +1000 Subject: [PATCH 03/20] hosts/alyssum: add slskd_env --- hosts/alyssum/default.nix | 1 + secrets.nix | 2 +- secrets/slskd_env.age | 18 ++++++++++-------- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 2deecfb..9db08f5 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -5,6 +5,7 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; + slskd_env.file = ../../secrets/slskd_env.age; wpa_conf = { file = ../../secrets/wpa_conf.age; path = "/etc/wpa_supplicant/imperative.conf"; diff --git a/secrets.nix b/secrets.nix index d2dbc82..0c9c9b2 100644 --- a/secrets.nix +++ b/secrets.nix @@ -12,7 +12,7 @@ in { "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ]; "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ]; - "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ]; + "secrets/slskd_env.age".publicKeys = [ alyssum anemone dandelion rin ]; "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ]; "secrets/warden_admin.age".publicKeys = [ rin ]; "secrets/wg_anemone.age".publicKeys = [ anemone rin ]; diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age index eded5d0..287ef9b 100644 --- a/secrets/slskd_env.age +++ b/secrets/slskd_env.age @@ -1,9 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 ohyStA 3Do7MsCBX9ZgP6pIekvkRisFgF74jq2cKxrjUi2NlhM -EdfLIUk40isfNBY4CKA0JjHc2RaCM/LJmvQJuue+aYs --> ssh-ed25519 bRFqeQ XcjdLy6CEELgdN133BkgTG0cUffU6N9nsapB3c9Swyc -+ILEkir7XMK/xLNrTs2R+pBoucIN7fVEBRZSZwBo7Fs --> ssh-ed25519 U9FXlg bqpdUcMN/bk7WlIruWmhj0hpFL/CliDHto/P/KaMdxk -z6wKPbT1OAW7sDjeziwdqs6mf9Rk37xsU9pw4wYMOF4 ---- wNvTtQPOTxetOpazjBXo4fR3wPL7CVQq4R30gOj/qQw -&P+Sy=}~1C^.?zLHR`akER(4R!*l!A~@VG<2-K8HPu2jS#WДl>@a . MƞHg[$Wˌ["%N, rGNmf9Fk&~OWZ70t?eOfAz,hq/Z&Fy5ɾBQw/"JS섘5f}%BPĮ,rF`NmnCÎrJaf i?0pzaV[yjX4B>R,tyOIW!(n#ܒj>589d0 mi% t CR˄^IrM")֙S&.)lzӨq:rbrE@JǺsMd?Sk \ No newline at end of file +-> ssh-ed25519 kOMSPw 4dkSpYLuqrGWDAO3YAjmbQyAunL0yDH+rgbIxp4KOFM ++48t/iYYa22ytIMXlH9/SgKHHVSmMaO0KlDealyvYs4 +-> ssh-ed25519 ohyStA tUx1MDlXIU/fV0lS8NGiGUCM5f8iupew0IEUSP8Ys0g +Fp8bxpyUGO2QipmsLHVj0Jm7Iwue7ZVxD/RQ5BZ2yL0 +-> ssh-ed25519 bRFqeQ 4xLmKSjaPn7scYn9pLet9Boy0Tlbns8qHzKsIrVZzGA +XFYQZ9kETCPG4S0fwy+I7ZBjCWFgmyjh0YkI4jdEWio +-> ssh-ed25519 U9FXlg zYqj8zjq2TRi/sfYSGxpVt2nSo4G81SMJatE0j5KaEE +JSK/TUcGg8xRaYT42o6tHjQjwxi9GmV8/eO3hdFFvqI +--- 6SJBfqAWFNHQ4IXx6359aUP1mTturgjuSteQgrOGzdg +̄w/>kU*Rd@oX*Y=Eg?̤\Ƭij#pYrU|| j CU(;φT/W;GlOK+-t~'w?8Wde2$>-aЧ?u`&_OBQ-T?^2ib$5nE~I]v]$,h[v}08@?OCw"JCvs**Z \ No newline at end of file From 042a04cbfc33a20569cff7dbdfd808eb7d28d642 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 16 Jun 2026 23:15:49 +1000 Subject: [PATCH 04/20] containers/fluorite: fixup multiple hosts --- containers/fluorite/flake.nix | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index c5a1391..4a447f9 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -6,7 +6,6 @@ let name = "fluorite"; fqdn = "fluorite.lava.moe"; - altfqdn = hostname: "fluorite.${hostname}.lava.moe"; subnetId = "6"; subnet = x: "fd0d:1::${subnetId}:${toString x}"; @@ -28,7 +27,13 @@ nixosConfigurations.container = nixpkgs.lib.nixosSystem { inherit modules; }; - nixosModule = { config, ... }: { + nixosModule = { config, ... }: let + altfqdn = "fluorite.${config.networking.hostName}.lava.moe"; + # TODO: HACK + listenAddr = if (config.networking.hostName == "alyssum") + then [ "100.67.2.1" ] + else [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; + in { networking.nat = { enable = true; enableIPv6 = true; @@ -40,14 +45,14 @@ useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:5030"; - listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; + listenAddresses = listenAddr; }; - services.nginx.virtualHosts."${altfqdn config.networking.hostName}" = { + services.nginx.virtualHosts."${altfqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:5030"; - listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; + listenAddresses = listenAddr; }; systemd.tmpfiles.rules = [ From f1defd435aa85e77a985348c9e50afe36038df63 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 16 Jun 2026 23:22:18 +1000 Subject: [PATCH 05/20] containers/fluorite: configure ssl cert correctly --- containers/fluorite/flake.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 4a447f9..746c702 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -28,7 +28,8 @@ inherit modules; }; nixosModule = { config, ... }: let - altfqdn = "fluorite.${config.networking.hostName}.lava.moe"; + hostfqdn = "${config.networking.hostName}.lava.moe"; + altfqdn = "fluorite.${hostfqdn}"; # TODO: HACK listenAddr = if (config.networking.hostName == "alyssum") then [ "100.67.2.1" ] @@ -48,8 +49,9 @@ listenAddresses = listenAddr; }; + security.acme.certs.${hostfqdn} = { extraDomainNames = [ "*.${hostfqdn}" ]; }; services.nginx.virtualHosts."${altfqdn}" = { - useACMEHost = "lava.moe"; + useACMEHost = hostfqdn; forceSSL = true; locations."/".proxyPass = "http://[${client}]:5030"; listenAddresses = listenAddr; From 4b19491ec7612dbdb28dc19366e998d46adbf4b4 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 16 Jun 2026 23:41:32 +1000 Subject: [PATCH 06/20] hosts/alyssum: remove fluorite --- hosts/alyssum/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 9db08f5..8af107d 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -28,7 +28,6 @@ modules.services.soulbeet modules.services.syncthing - inputs.c-fluorite.nixosModule inputs.c-garnet.nixosModule ./filesystem.nix From 20b5d96686a2c29a40b8890b1c38b64894c4f8d3 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:07:01 +1000 Subject: [PATCH 07/20] containers/fluorite: socks5 via tailscale --- containers/fluorite/configuration.nix | 16 +++++++++++++++- containers/fluorite/flake.nix | 7 ++++++- hosts/alyssum/default.nix | 1 + hosts/dandelion/default.nix | 1 - modules/system/tailscale.nix | 11 +++++++++++ secrets/slskd_env.age | Bin 765 -> 849 bytes 6 files changed, 33 insertions(+), 3 deletions(-) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index 9fcb5f5..002c2f0 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -1,16 +1,30 @@ { ... }: { system.stateVersion = "25.11"; systemd.tmpfiles.rules = [ - "d /persist/slskd/Downloads 755 slskd slskd" + "d /persist/slskd/downloads 755 slskd slskd" ]; fileSystems."/var/lib/slskd" = { device = "/persist/slskd"; fsType = "none"; options = [ "bind" ]; }; + fileSystems."/var/lib/tailscale" = { + device = "/persist/tailscale"; + fsType = "none"; + options = [ "bind" ]; + }; networking.firewall.allowedTCPPorts = [ 5030 50300 ]; networking.firewall.allowedUDPPorts = [ 5030 50300 ]; + services.tailscale = { + enable = true; + authKeyFile = "/binds/tailscale_auth"; + openFirewall = true; + interfaceName = "userspace-networking"; + extraDaemonFlags = [ "--socks5-server=localhost:1055" ]; + extraUpFlags = [ "--exit-node=dandelion" ]; + }; + services.slskd = { enable = true; domain = null; diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 746c702..25e43f6 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -20,7 +20,7 @@ ./configuration.nix { networking.useHostResolvConf = false; - networking.nameservers = [ host ]; + networking.nameservers = [ 8.8.8.8 ]; } ]; in { @@ -97,6 +97,11 @@ mountPoint = "/binds/slskd_env"; isReadOnly = true; }; + bindMounts."tailscale_auth" = { + hostPath = config.age.secrets.tailscale_auth.path; + mountPoint = "/binds/tailscale_auth"; + isReadOnly = true; + }; # flake = "path:" + ./.; }; }; diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 8af107d..9db08f5 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -28,6 +28,7 @@ modules.services.soulbeet modules.services.syncthing + inputs.c-fluorite.nixosModule inputs.c-garnet.nixosModule ./filesystem.nix diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 33b6eec..540008d 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -32,7 +32,6 @@ inputs.c-citrine.nixosModule inputs.c-diamond.nixosModule inputs.c-emerald.nixosModule - inputs.c-fluorite.nixosModule ./filesystem.nix ./kernel.nix diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 5e3e044..4e16aac 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -4,6 +4,17 @@ networking.firewall.trustedInterfaces = [ "tailscale0" ]; networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ]; + networking.nat = { + enable = true; + internalInterfaces = [ "tailscaled0" ]; + forwardPorts = [ + { + sourcePort = 50300; + proto = "tcp"; + destination = "100.67.2.101:50300"; + } + ]; + }; services.tailscale = { enable = true; authKeyFile = config.age.secrets.tailscale_auth.path; diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age index 287ef9b7bf3926a3064436a41d6f2174aa7c3d17..f5bc05ea67ec338add401fa62d642f5dbfe090cd 100644 GIT binary patch delta 779 zcmey%dXa5{PQ7VqqQ9w^pTE07c%{2#QchW_QBp}&NqI(*S#X%MYm#}eagj+>kz+=l zFPBGhQdydRlBr3hL2kZRdTDq@fKf$7fw#URORXHxD+0KQgp#^E-m5!!?1(9Ky=D}_zCW&4i`eo+9xxucJ;~B;4U9x;Ua;i+C zic)e)k_wzdOPwPEeR9$YytB>H{lk;etCEwP1HFUIOdKt^LW526d<>GST$9qxwF_Jl zJ)A9yLws|cqs-mH-ApWV!?FVmBhyO4^<6BubaizVQVorb9JPZ@1G7_&5{(m`&0RBG zlPwJj{M=mA+|%6M^$jiSEz6@yvO=p&xKz*H_4M5q6XaUlA?dne(W;5NtrzUil@%Ah zuG^%G zGJWpxXya1tLf z$GFVx;rc~e-%76LX8*FeByn-E-?1s)v*RL!BTr1Lc&Humf3CBq;g^e-COq51lb;g1 zzgs}lyvteZT&}(sXX;fx7Yn_jdogDxe5+cYJ=G^XA!%cUsIrbh*$IQ+yZ*B%*Tp<| Z_&dAxwdkW#o__)vRyn0h1X!sJp*WU}iyXv5!YsmVsBUxo3H4s(Dmcg^PYrps7=oQKgT; z#E;_PCKW!p-oaUk0eR-d$&q=M1wN@ImQMMV1|c~~dBqlm9#!7Oo<(6%Rql>l5pI!z zQI^@RAr&f#w9xs_QN29epGCRr)2;hFi9;~B;4t0D`tEUK~! zjY5Jl^^4OYgWW3%!b*(tg7Zz>EewNwy%I}Y4YEwV6J1@oyn?;;Lqe0?(=9535+g%Q zjPlJ&JhB3_$}2K0-E+e%^i%zfGg92#$_hQXbaizV%!0j~(h42J-TXWPO*|ti%#2Mf z6GHi_)`7gG*BD1JjHA-K$d4x$d56*(q19Z?`-W&+#)^>vkNR z%k3OGb?Rv;xg%m4*5}&}gyu_r@79 zPHg$zpV@UR>AQ-QY1^zku`jN5Ejyb%AADTZ8at_MwPfs9m3dEfGNQ|xdsa8pJ~yy% o5S?xR{eqakob$DEC9fwh#V6go>b$> Date: Wed, 17 Jun 2026 00:10:23 +1000 Subject: [PATCH 08/20] system/tailscale: only nat for dandelion --- modules/system/tailscale.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 4e16aac..79cbba9 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -4,8 +4,9 @@ networking.firewall.trustedInterfaces = [ "tailscale0" ]; networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ]; - networking.nat = { + networking.nat = lib.mkIf (config.networking.hostName == "dandelion") { enable = true; + externalInterface = "enp0s6"; internalInterfaces = [ "tailscaled0" ]; forwardPorts = [ { From 59bbe127d64d88870138e9d97876d869041a9f5f Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:12:01 +1000 Subject: [PATCH 09/20] containers/fluorite: wrap dns as str --- containers/fluorite/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 25e43f6..af3e111 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -20,7 +20,7 @@ ./configuration.nix { networking.useHostResolvConf = false; - networking.nameservers = [ 8.8.8.8 ]; + networking.nameservers = [ "8.8.8.8" ]; } ]; in { From 30d3063c9bbb45b42f013d5107203525a2d00a8a Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:17:02 +1000 Subject: [PATCH 10/20] containers/fluorite: use set flag for exit node --- containers/fluorite/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index 002c2f0..fafbd68 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -22,7 +22,7 @@ openFirewall = true; interfaceName = "userspace-networking"; extraDaemonFlags = [ "--socks5-server=localhost:1055" ]; - extraUpFlags = [ "--exit-node=dandelion" ]; + extraSetFlags = [ "--exit-node=100.67.1.1" ]; }; services.slskd = { From 8778adf3bc03b85f1befb3d9396e5c9bfea94aa3 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:22:47 +1000 Subject: [PATCH 11/20] containers/fluorite: use routing features --- containers/fluorite/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index fafbd68..e18bdeb 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -23,6 +23,7 @@ interfaceName = "userspace-networking"; extraDaemonFlags = [ "--socks5-server=localhost:1055" ]; extraSetFlags = [ "--exit-node=100.67.1.1" ]; + useRoutingFeatures = "client"; }; services.slskd = { From 02a3207d089699b3abb1f2a07eddd27722c88e93 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:26:09 +1000 Subject: [PATCH 12/20] system/tailscale: open tcp port 50300 --- modules/system/tailscale.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 79cbba9..5da4652 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -16,6 +16,7 @@ } ]; }; + networking.firewall.allowedTCPPorts = [ 50300 ]; services.tailscale = { enable = true; authKeyFile = config.age.secrets.tailscale_auth.path; From cb34055830f76cfc95cf8bc7051a7c8de683c016 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:30:58 +1000 Subject: [PATCH 13/20] containers/fluorite: fixup env --- secrets/slskd_env.age | Bin 849 -> 846 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age index f5bc05ea67ec338add401fa62d642f5dbfe090cd..3f1bc1997ee8925037b1bca751df3d4d634ca614 100644 GIT binary patch delta 776 zcmcb}c8+a=PQ9a>Q$$u~xqF#eXoO=Q-MNvUOnR9YVwtHZSi$zkTqgP~bu(`RbOJSm6Mz(QgF_*5LLUD11 zZfc5=si~o*LViYNaEYTrc3DMAskxD{VR24qmbZIKft!m#m2Xm-k56tzRC+~DWu;k~ zrGBuvM|!0Rmt~lbdv2nBo^zzWMOwIduCYawad3`dc9@}lNtS<Jt4i}zJVPSVll)Cgok}8-@4igPrRJ|R_>?eWBU!w;N9}j{~D_9Fh?IL@pa<3&ZfjYeVgvuiw=KkHGS>Y{8ifb zXkN8eptM$D!PNfSxv|;j4EYYH?_S9`*RZ0^OtHY>+!~D;mG(v%K1N^Uo-Ar#v{zx# Wj<-uZG+36u@;qa?Sm1^F96JExCpLQk delta 779 zcmX@dc9Cs@PQ7VqqQ9w^pTE07c%{2#QchW_QBp}&NqI(*S#X%MYm#}eagj+>kz+=l zFPBGhQdydRlBr3hL2kZRdTDq@fKf$7fw#URORXHxD+0KQgp#^E-m5!!?1(9Ky=D}_zCW&4i`eo+9xxucJ;~B;4U9x;Ua;i+C zic)e)k_wzdOPwPEeR9$YytB>H{lk;etCEwP1HFUIOdKt^LW526d<>GST$9qxwF_Jl zJ)A9yLws|cqs-mH-ApWV!?FVmBhyO4^<6BubaizVQVorb9JPZ@1G7_&5{(m`&0RBG zlPwJj{M=mA+|%6M^$jiSEz6@yvO=p&xKz*H_4M5q6XaUlA?dne(W;5NtrzUil@%Ah zuG^%G zGJWpxXya1tLf z$GFVx;rc~e-%76LX8*FeByn-E-?1s)v*RL!BTr1Lc&Humf3CBq;g^e-COq51lb;g1 zzgs}lyvteZT&}(sXX;fx7Yn_jdogDxe5+cYJ=G^XA!%cUsIrbh*$IQ+yZ*B%*Tp<| Z_&dAxwdkW#o__)vRyn0h1X Date: Wed, 17 Jun 2026 00:39:11 +1000 Subject: [PATCH 14/20] containers/fluorite: config proxy --- containers/fluorite/configuration.nix | 5 +++++ secrets/slskd_env.age | Bin 846 -> 765 bytes 2 files changed, 5 insertions(+) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index e18bdeb..f834a22 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -32,6 +32,11 @@ environmentFile = "/binds/slskd_env"; settings = { shares.directories = [ "/binds/music/" ]; + connection.proxy = { + enabled = true; + address = "localhost"; + port = "1055"; + }; }; }; } diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age index 3f1bc1997ee8925037b1bca751df3d4d634ca614..4e7e23f884fcb50909d1b54c7a85084dbfad4ecb 100644 GIT binary patch delta 695 zcmX@d_Lp^nPJLF2dx5@Zrk7zwSh9US7>B$WJP$0f1ZU;sJFjIUZ}a3MX+uwhuRi;H(oxIvLyMMX$K zSgx5_rg5ePS6HN9fU}#UyJuu(q?e~laB@URRA!K8X{143fknAll3{vTKuM&9QAR=F z#E;_P1qSYx+QzwME?y?Nksje0o}~em1|>h#(8-WE?L=J9+8=0 z=8<0BuEsfj5$RQCX~`i0;d#Er$p)@fx%!D&;dvIGCb?Om-T|(Y;~B;4O%470T%5E^ zD{_6R99=RZqx7>2oKp%sebWq5^0OjyGm7*bwLMeKGTcJBDnoos4D!6gDvFCz!h#|S zf=XOmjm;Ak;SZyQ0qt(CFW8?Y1XT?O^r~gX7xoK(i!mgWvH?LfOpKNTm z+(|8i?Unx%&5MrrrK8py75eJ`(V}6kQJ(Xuy?LD%)EE|U7yZ?$*m=74N@{)jayPC0 zjn%*He>@LUJ3KG?j!Nm|yK#DZq&;86&hx+7@aDrD0|yrqyQZABh1Zw!vgtf|85p*J zo0D~FM6chje delta 776 zcmey%dX8;^PQ9a>Q$$u~xqF#eXoO=Q-MNvUOnR9YVwtHZSi$zkTqgP~bu(`RbOJSm6Mz(QgF_*5LLUD11 zZfc5=si~o*LViYNaEYTrc3DMAskxD{VR24qmbZIKft!m#m2Xm-k56tzRC+~DWu;k~ zrGBuvM|!0Rmt~lbdv2nBo^zzWMOwIduCYawad3`dc9@}lNtS<Jt4i}zJVPSVll)Cgok}8-@4igPrRJ|R_>?eWBU!w;N9}j{~D_9Fh?IL@pa<3&ZfjYeVgvuiw=KkHGS>Y{8ifb zXkN8eptM$D!PNfSxv|;j4EYYH?_S9`*RZ0^OtHY>+!~D;mG(v%K1N^Uo-Ar#v{zx# Wj<-uZG+36u@;qa?Sm1^F96JDIk2a Date: Wed, 17 Jun 2026 00:43:20 +1000 Subject: [PATCH 15/20] containers/fluorite: config proxy againn --- containers/fluorite/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index f834a22..77dc629 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -32,7 +32,7 @@ environmentFile = "/binds/slskd_env"; settings = { shares.directories = [ "/binds/music/" ]; - connection.proxy = { + soulseek.connection.proxy = { enabled = true; address = "localhost"; port = "1055"; From 0462478d7eba3fa3934e6a0b5d521e4440c62c5b Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:52:50 +1000 Subject: [PATCH 16/20] containers/fluorite: try without socks5 --- containers/fluorite/configuration.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index 77dc629..67dc279 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -20,8 +20,8 @@ enable = true; authKeyFile = "/binds/tailscale_auth"; openFirewall = true; - interfaceName = "userspace-networking"; - extraDaemonFlags = [ "--socks5-server=localhost:1055" ]; + # interfaceName = "userspace-networking"; + # extraDaemonFlags = [ "--socks5-server=localhost:1055" ]; extraSetFlags = [ "--exit-node=100.67.1.1" ]; useRoutingFeatures = "client"; }; @@ -32,11 +32,11 @@ environmentFile = "/binds/slskd_env"; settings = { shares.directories = [ "/binds/music/" ]; - soulseek.connection.proxy = { - enabled = true; - address = "localhost"; - port = "1055"; - }; + # soulseek.connection.proxy = { + # enabled = true; + # address = "localhost"; + # port = "1055"; + # }; }; }; } From 003b6c277b42a6e88ea2f478de1328f7a80aa24d Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:56:02 +1000 Subject: [PATCH 17/20] containers/fluorite: enable tun --- containers/fluorite/flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index af3e111..eee70b1 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -64,6 +64,7 @@ containers.${name} = { autoStart = true; privateNetwork = true; + enableTun = true; hostAddress = host4; localAddress = client4; hostAddress6 = host; From d6fc70612a017a2927c863cc1f150fff97934d9a Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 01:02:59 +1000 Subject: [PATCH 18/20] containers/fluorite: use tun address for proxy --- containers/fluorite/flake.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index eee70b1..4fadd89 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -16,6 +16,8 @@ host4 = subnet4 1; client4 = subnet4 2; + clientTun = "100.67.2.101"; + modules = [ ./configuration.nix { @@ -45,7 +47,7 @@ services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; - locations."/".proxyPass = "http://[${client}]:5030"; + locations."/".proxyPass = "http://[${clientTun}]:5030"; listenAddresses = listenAddr; }; @@ -53,7 +55,7 @@ services.nginx.virtualHosts."${altfqdn}" = { useACMEHost = hostfqdn; forceSSL = true; - locations."/".proxyPass = "http://[${client}]:5030"; + locations."/".proxyPass = "http://[${clientTun}]:5030"; listenAddresses = listenAddr; }; From d99ec5e25b01568c0202605a5d511c8847616d43 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 01:05:23 +1000 Subject: [PATCH 19/20] containers/fluorite: uuuuuuuuuuuuuuuuuuuuuuu --- containers/fluorite/flake.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 4fadd89..5b9d4d1 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -47,7 +47,7 @@ services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; - locations."/".proxyPass = "http://[${clientTun}]:5030"; + locations."/".proxyPass = "http://${clientTun}:5030"; listenAddresses = listenAddr; }; @@ -55,7 +55,7 @@ services.nginx.virtualHosts."${altfqdn}" = { useACMEHost = hostfqdn; forceSSL = true; - locations."/".proxyPass = "http://[${clientTun}]:5030"; + locations."/".proxyPass = "http://${clientTun}:5030"; listenAddresses = listenAddr; }; From b782d746473fa554d969435e24d082472c3f2222 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 01:08:27 +1000 Subject: [PATCH 20/20] system/tailscale: correct wrong nat interface --- modules/system/tailscale.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 5da4652..fe0e8bb 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -7,7 +7,7 @@ networking.nat = lib.mkIf (config.networking.hostName == "dandelion") { enable = true; externalInterface = "enp0s6"; - internalInterfaces = [ "tailscaled0" ]; + internalInterfaces = [ "tailscale0" ]; forwardPorts = [ { sourcePort = 50300;