From 1295d3f916dcf8f9ee770bf8bd2a93ccc06add1c Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Thu, 28 May 2026 23:02:40 +1000
Subject: [PATCH 1/2] hosts/alyssum: enable garnet

---
 hosts/alyssum/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix
index 087c77f..1c1db61 100644
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@@ -1,4 +1,4 @@
-{ lib, modules, modulesPath, ... }: {
+{ inputs, modules, modulesPath, ... }: {
   networking.hostName = "alyssum";
   system.stateVersion = "25.11";
   time.timeZone = "Australia/Melbourne";
@@ -22,6 +22,8 @@
     security
     tailscale
 
+    inputs.c-garnet.nixosModule
+
     ./filesystem.nix
     ./kernel.nix
     ./networking.nix

From 4ab35c6f51a147de6da219d5fa46b27cfd1f5bb5 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Thu, 28 May 2026 23:04:35 +1000
Subject: [PATCH 2/2] containers/garnet: better ip filtering

---
 containers/garnet/flake.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/containers/garnet/flake.nix b/containers/garnet/flake.nix
index 7cb7559..b5e4ba5 100644
--- a/containers/garnet/flake.nix
+++ b/containers/garnet/flake.nix
@@ -44,7 +44,13 @@
             proxy_set_header Host $host;
           '';
         };
-        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
+        extraConfig = ''
+          allow 10.0.0.0/8;
+          allow 100.0.0.0/8;
+          allow 192.168.1.0/24;
+          allow fd0d::/8;
+          deny all;
+        '';
       };
 
       systemd.tmpfiles.rules = [