system/tailscale: correct wrong nat interface

containers/fluorite: uuuuuuuuuuuuuuuuuuuuuuu
containers/fluorite: use tun address for proxy
2026-06-17 01:08:27 +10:00 · 2026-06-17 01:05:23 +10:00 · 2026-06-17 01:02:59 +10:00 · 2026-06-17 00:56:02 +10:00 · 2026-06-17 00:52:50 +10:00 · 2026-06-17 00:43:20 +10:00
9 changed files with 98 additions and 7 deletions
--- a/containers/fluorite/configuration.nix
+++ b/containers/fluorite/configuration.nix
@ -1,22 +1,42 @@
 { ... }: {
  system.stateVersion = "25.11";
  systemd.tmpfiles.rules = [
-    "d /persist/slskd/Downloads 755 slskd slskd"
+    "d /persist/slskd/downloads 755 slskd slskd"
  ];
  fileSystems."/var/lib/slskd" = {
    device = "/persist/slskd";
    fsType = "none";
    options = [ "bind" ];
  };
+  fileSystems."/var/lib/tailscale" = {
+    device = "/persist/tailscale";
+    fsType = "none";
+    options = [ "bind" ];
+  };
  networking.firewall.allowedTCPPorts = [ 5030 50300 ];
  networking.firewall.allowedUDPPorts = [ 5030 50300 ];

+  services.tailscale = {
+    enable = true;
+    authKeyFile = "/binds/tailscale_auth";
+    openFirewall = true;
+    # interfaceName = "userspace-networking";
+    # extraDaemonFlags = [ "--socks5-server=localhost:1055" ];
+    extraSetFlags = [ "--exit-node=100.67.1.1" ];
+    useRoutingFeatures = "client";
+  };
+
  services.slskd = {
    enable = true;
    domain = null;
    environmentFile = "/binds/slskd_env";
    settings = {
      shares.directories = [ "/binds/music/" ];
+      # soulseek.connection.proxy = {
+      #   enabled = true;
+      #   address = "localhost";
+      #   port = "1055";
+      # };
    };
  };
 }
--- a/containers/fluorite/flake.nix
+++ b/containers/fluorite/flake.nix
@ -16,18 +16,27 @@
    host4 = subnet4 1;
    client4 = subnet4 2;

+    clientTun = "100.67.2.101";
+
    modules = [
      ./configuration.nix
      {
        networking.useHostResolvConf = false;
-        networking.nameservers = [ host ];
+        networking.nameservers = [ "8.8.8.8" ];
      }
    ];
  in {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      inherit modules;
    };
-    nixosModule = { config, ... }: {
+    nixosModule = { config, ... }: let
+      hostfqdn = "${config.networking.hostName}.lava.moe";
+      altfqdn = "fluorite.${hostfqdn}";
+      # TODO: HACK
+      listenAddr = if (config.networking.hostName == "alyssum")
+        then [ "100.67.2.1" ]
+        else [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
+    in {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
@ -38,8 +47,16 @@
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
-        locations."/".proxyPass = "http://[${client}]:5030";
-        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
+        locations."/".proxyPass = "http://${clientTun}:5030";
+        listenAddresses = listenAddr;
+      };
+
+      security.acme.certs.${hostfqdn} = { extraDomainNames = [ "*.${hostfqdn}" ]; };
+      services.nginx.virtualHosts."${altfqdn}" = {
+        useACMEHost = hostfqdn;
+        forceSSL = true;
+        locations."/".proxyPass = "http://${clientTun}:5030";
+        listenAddresses = listenAddr;
      };

      systemd.tmpfiles.rules = [
@ -49,6 +66,7 @@
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
+        enableTun = true;
        hostAddress = host4;
        localAddress = client4;
        hostAddress6 = host;
@ -82,6 +100,11 @@
          mountPoint = "/binds/slskd_env";
          isReadOnly = true;
        };
+        bindMounts."tailscale_auth" = {
+          hostPath = config.age.secrets.tailscale_auth.path;
+          mountPoint = "/binds/tailscale_auth";
+          isReadOnly = true;
+        };
        # flake = "path:" + ./.;
      };
    };
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@ -5,6 +5,7 @@

  age.secrets = {
    acme_dns.file = ../../secrets/acme_dns.age;
+    slskd_env.file = ../../secrets/slskd_env.age;
    wpa_conf = {
      file = ../../secrets/wpa_conf.age;
      path = "/etc/wpa_supplicant/imperative.conf";
@ -24,8 +25,10 @@
    tailscale

    modules.services.nginx
+    modules.services.soulbeet
    modules.services.syncthing

+    inputs.c-fluorite.nixosModule
    inputs.c-garnet.nixosModule

    ./filesystem.nix
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@ -32,7 +32,6 @@
    inputs.c-citrine.nixosModule
    inputs.c-diamond.nixosModule
    inputs.c-emerald.nixosModule
-    inputs.c-fluorite.nixosModule

    ./filesystem.nix
    ./kernel.nix
--- a/modules/default.nix
+++ b/modules/default.nix
@ -22,6 +22,7 @@ in {
    ./services/nginx.nix
    ./services/postgres.nix
    ./services/sonarr.nix
+    ./services/soulbeet.nix
    ./services/synapse.nix
    ./services/syncthing.nix
    ./services/tmptsync.nix
--- a/modules/services/soulbeet.nix
+++ b/modules/services/soulbeet.nix
@ -0,0 +1,32 @@
+{ ... }:
+let
+  dir_data = "/persist/services/soulbeet/data";
+  dir_downloads = "/persist/containers/fluorite/slskd/downloads";
+  dir_music = "/persist/media/music";
+in {
+  systemd.tmpfiles.rules = [
+    "d ${dir_data} 700 root root"
+    "d ${dir_downloads} 755 root users"
+    "d ${dir_music} 075 nobody users"
+  ];
+  virtualisation.oci-containers.backend = "docker";
+  virtualisation.oci-containers.containers = {
+    container-name = {
+      image = "docker.io/docccccc/soulbeet:latest";
+      autoStart = true;
+      ports = [ "9765:9765" ];
+      environment = {
+        DATABASE_URL = "sqlite:/data/soulbeet.db";
+        DOWNLOAD_PATH = "/downloads";
+        SECRET_KEY = "change-me-in-production";
+        NAVIDROME_URL = "http://navidrome:4533";
+        BEETS_CONFIG = "/config/config.yaml";
+      };
+      volumes = [
+        "${dir_data}:/data"
+        "${dir_downloads}:/downloads"
+        "${dir_music}:/music"
+      ];
+    };
+  };
+}
--- a/modules/system/tailscale.nix
+++ b/modules/system/tailscale.nix
@ -4,6 +4,19 @@
  networking.firewall.trustedInterfaces = [ "tailscale0" ];
  networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ];

+  networking.nat = lib.mkIf (config.networking.hostName == "dandelion") {
+    enable = true;
+    externalInterface = "enp0s6";
+    internalInterfaces = [ "tailscale0" ];
+    forwardPorts = [
+      {
+        sourcePort = 50300;
+        proto = "tcp";
+        destination = "100.67.2.101:50300";
+      }
+    ];
+  };
+  networking.firewall.allowedTCPPorts = [ 50300 ];
  services.tailscale = {
    enable = true;
    authKeyFile = config.age.secrets.tailscale_auth.path;
--- a/secrets.nix
+++ b/secrets.nix
@ -12,7 +12,7 @@ in {

  "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ];
  "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ];
-  "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ];
+  "secrets/slskd_env.age".publicKeys = [ alyssum anemone dandelion rin ];
  "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ];
  "secrets/warden_admin.age".publicKeys = [ rin ];
  "secrets/wg_anemone.age".publicKeys = [ anemone rin ];
--- a/secrets/slskd_env.age
+++ b/secrets/slskd_env.age
Author	SHA1	Message	Date
Cilly Leang	b782d74647	system/tailscale: correct wrong nat interface Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-06-17 01:08:27 +10:00
Cilly Leang	d99ec5e25b	containers/fluorite: uuuuuuuuuuuuuuuuuuuuuuu Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 01:05:23 +10:00
Cilly Leang	d6fc70612a	containers/fluorite: use tun address for proxy Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 01:02:59 +10:00
Cilly Leang	003b6c277b	containers/fluorite: enable tun Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 00:56:02 +10:00
Cilly Leang	0462478d7e	containers/fluorite: try without socks5 Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 00:52:50 +10:00
Cilly Leang	c93496cb84	containers/fluorite: config proxy againn Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 00:43:20 +10:00
Cilly Leang	789f9b9cd3	containers/fluorite: config proxy Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 00:39:11 +10:00
Cilly Leang	cb34055830	containers/fluorite: fixup env Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 00:30:58 +10:00
Cilly Leang	02a3207d08	system/tailscale: open tcp port 50300 Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 00:26:09 +10:00
Cilly Leang	8778adf3bc	containers/fluorite: use routing features Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 00:22:47 +10:00
Cilly Leang	30d3063c9b	containers/fluorite: use set flag for exit node Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 00:17:02 +10:00
Cilly Leang	59bbe127d6	containers/fluorite: wrap dns as str Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 00:12:01 +10:00
Cilly Leang	5b666bf576	system/tailscale: only nat for dandelion Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 00:10:23 +10:00
Cilly Leang	20b5d96686	containers/fluorite: socks5 via tailscale Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 00:07:01 +10:00
Cilly Leang	4b19491ec7	hosts/alyssum: remove fluorite	2026-06-16 23:41:32 +10:00
Cilly Leang	f1defd435a	containers/fluorite: configure ssl cert correctly Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-16 23:22:18 +10:00
Cilly Leang	042a04cbfc	containers/fluorite: fixup multiple hosts Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-16 23:15:49 +10:00
Cilly Leang	0d89b2a64f	hosts/alyssum: add slskd_env Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-16 23:07:25 +10:00
Cilly Leang	4e19a6378b	containers/fluorite: hostname -> hostName Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-16 23:04:02 +10:00
Cilly Leang	c36a3f09de	services/soulbeet: init and add to alyssum Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-16 23:02:43 +10:00