hosts/alyssum: enable tailscale

services/unbound: allow access from tailscale
hosts/dandelion: enable tailscale
2026-05-28 22:10:44 +10:00 · 2026-05-28 21:56:34 +10:00 · 2026-05-28 21:33:57 +10:00 · 2026-05-28 21:21:49 +10:00 · 2026-05-28 21:20:27 +10:00 · 2026-05-28 21:17:50 +10:00
11 changed files with 27 additions and 13 deletions
--- a/containers/amethyst/flake.nix
+++ b/containers/amethyst/flake.nix
@ -21,7 +21,8 @@
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
-        locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
+        #locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
+        locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
        listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
      };

--- a/containers/beryllium/configuration.nix
+++ b/containers/beryllium/configuration.nix
@ -9,14 +9,15 @@
  networking.firewall.allowedUDPPorts = [ 6167 ];
  # TODO: this should be generically set
  networking.useHostResolvConf = false;
-  networking.nameservers = [ "fd0d:1::2:1" ];
+  networking.nameservers = [ "8.8.8.8" ];

  services.matrix-continuwuity = {
    enable = true;
    settings.global = {
      # TODO: link this with outer container's address
-      address = [ "fd0d:1::2:2" ];
+      address = [ "10.30.2.2" ];
      server_name = "lava.moe";
+      rocksdb_recovery_mode = 2;
    };
  };
 }
--- a/containers/beryllium/flake.nix
+++ b/containers/beryllium/flake.nix
@ -22,9 +22,9 @@
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".extraConfig = "return 302 'https://lava.moe';";
-        locations."/_matrix".proxyPass = "http://[fd0d:1::${subnet}:2]:6167";
-        locations."/_conduwuit".proxyPass = "http://[fd0d:1::${subnet}:2]:6167";
-        locations."/_continuwuity".proxyPass = "http://[fd0d:1::${subnet}:2]:6167";
+        locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167";
+        locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167";
+        locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167";
      };

      services.nginx.virtualHosts."lava.moe" = {
@ -52,9 +52,8 @@
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
-        hostAddress6 = "fd0d:1::${subnet}:1";
-        localAddress6 = "fd0d:1::${subnet}:2";
-        # privateUsers = "pick";
+        hostAddress = "10.30.${subnet}.1";
+        localAddress = "10.30.${subnet}.2";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = [ ./configuration.nix ]; };
@ -64,7 +63,6 @@
          mountPoint = "/persist";
          isReadOnly = false;
        };
-        # flake = "path:" + ./.;
      };
    };
  };
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@ -20,6 +20,7 @@
    nix-stable
    packages
    security
+    tailscale

    ./filesystem.nix
    ./kernel.nix
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@ -19,6 +19,7 @@
    nix-stable
    packages
    security
+    tailscale
    wireguard

    modules.services.banksia
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -6,7 +6,7 @@
      email = "me@lava.moe";
      group = "nginx";
      dnsProvider = "cloudflare";
-      credentialsFile = config.age.secrets."acme_dns".path;
+      environmentFile = config.age.secrets."acme_dns".path;
    };
    certs."lava.moe" = {
      extraDomainNames = [
--- a/modules/services/unbound.nix
+++ b/modules/services/unbound.nix
@ -27,8 +27,12 @@ in {
        forward-addr = [
          "2606:4700:4700::1111@853#cloudflare-dns.com"
          "2606:4700:4700::1001@853#cloudflare-dns.com"
+          "2001:4860:4860::8888@853#dns.google"
+          "2001:4860:4860::8844@853#dns.google"
          "1.1.1.1@853#cloudflare-dns.com"
          "1.0.0.1@853#cloudflare-dns.com"
+          "8.8.8.8@853#dns.google"
+          "8.8.4.4@853#dns.google"
        ];
      }];

@ -37,8 +41,10 @@ in {
        access-control = [
          "127.0.0.1/8      allow"
          "10.0.0.0/8       allow"
+          "100.64.0.0/10    allow"
          "192.168.100.0/24 allow"
-          "fd0d::/16 allow"
+          "fd0d::/16        allow"
+          "fd7a:115c:a1e0::/48 allow"
          "${gcSecrets.wireguard.ipv6Subnet}:/80 allow"
        ];
        domain-insecure = [ "\"local.lava.moe\"" ];
--- a/modules/system/wireguard.nix
+++ b/modules/system/wireguard.nix
@ -6,7 +6,7 @@ let
  serverIp = gcSecrets.wireguard.gateway;

  forwarding = {
-#    "22727" = [ "10.100.0.3" "7777" ];
+    "22727" = [ "10.100.0.3" "7777" ];
  };

  mapForwards = type:
@ -18,6 +18,8 @@ let
      in ''
        ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport}
        ${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT
+        ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p udp --dport ${sport} -j DNAT --to ${dest}:${dport}
+        ${pkgs.iptables}/bin/iptables -${type} FORWARD -p udp -d ${dest} --dport ${dport} -j ACCEPT
      '') forwarding
    );

--- a/modules/user/neovim-minimal.nix
+++ b/modules/user/neovim-minimal.nix
@ -9,6 +9,8 @@
    vimAlias = true;
    vimdiffAlias = true;
    withNodeJs = false;
+    withPython3 = false;
+    withRuby = false;

    plugins = with pkgs.vimPlugins; [
      fzf-vim
--- a/modules/user/neovim.nix
+++ b/modules/user/neovim.nix
@ -17,6 +17,8 @@ in {
    vimdiffAlias = true;
    #package = pkgs.neovim-nightly;
    withNodeJs = true;
+    withPython3 = true;
+    withRuby = false;

    extraPackages = with pkgs; [
      rust-analyzer
--- a/secrets/slskd_env.age
+++ b/secrets/slskd_env.age
Author	SHA1	Message	Date
Cilly Leang	d0e090bb68	hosts/alyssum: enable tailscale Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-28 22:10:44 +10:00
Cilly Leang	e5e608c580	services/unbound: allow access from tailscale Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-05-28 21:56:34 +10:00
Cilly Leang	69717ef92b	hosts/dandelion: enable tailscale Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-28 21:33:57 +10:00
Cilly Leang	d13f18a189	user/neovim{,-minimal}: set defaults to suppress warning	2026-05-28 21:21:49 +10:00
Cilly Leang	de857dcfbf	services/nginx: credentialsFile -> environmentFile	2026-05-28 21:20:27 +10:00
Cilly Leang	5680e29cd2	services/unbound: add google to dns	2026-05-28 21:17:50 +10:00
Cilly Leang	4a91f8a165	system/wireguard: also forward udp	2026-05-28 21:17:50 +10:00
Cilly Leang	52e53ba5b3	containers/amethyst: use ipv4 proxy	2026-05-28 21:17:49 +10:00
Cilly Leang	218da08936	containers/beryllium: use ipv4	2026-05-28 21:17:49 +10:00
Cilly Leang	724d30a092	containers/fluorite: change slskd env	2026-05-28 21:17:46 +10:00