From 9b2db0501f7d0ee4768a1ee99961a4b48df2a20d Mon Sep 17 00:00:00 2001
From: Sridhar Ratnakumar <srid@srid.ca>
Date: Sun, 19 Apr 2026 11:52:06 -0400
Subject: [PATCH] Unfuck tailscale post incus

---
 configurations/nixos/pureintent/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/configurations/nixos/pureintent/default.nix b/configurations/nixos/pureintent/default.nix
index 93ee86e..480f52b 100644
--- a/configurations/nixos/pureintent/default.nix
+++ b/configurations/nixos/pureintent/default.nix
@@ -52,6 +52,10 @@ in
 
   services.openssh.enable = true;
   services.tailscale.enable = true;
+  # tailscaled installs its rules via iptables-nft, which live in a different
+  # table from the nftables firewall that incus requires. Adding tailscale0 here
+  # gets it into the nftables trusted-interfaces set too.
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
   networking.firewall.allowedTCPPorts = [
     80
     443