From f599a76aba1a7924a09f1d4e357bfea787643455 Mon Sep 17 00:00:00 2001 From: Danny Date: Sun, 3 May 2026 06:39:57 +0200 Subject: [PATCH] phantom-ship: open shelfish (:8081) on ZT iface, bind 0.0.0.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit shelfish was only listening on 127.0.0.1 — vps-relay's Caddy couldn't reach it over the ZT mesh. Bind 0.0.0.0 and allow 8081 inbound on \`zt+\` interfaces (not the global firewall — same pattern sunken-ship uses for bbbot). Co-Authored-By: Claude Opus 4.7 (1M context) --- nixos/hosts/phantom-ship.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix index f870929..87efe78 100644 --- a/nixos/hosts/phantom-ship.nix +++ b/nixos/hosts/phantom-ship.nix @@ -48,6 +48,11 @@ in }; networking.firewall.trustedInterfaces = [ "enp0s31f6" ]; + # Shelfish HTTP (8081) is reachable only over the ZeroTier mesh — the + # vps-relay Caddy reverse-proxies into it. Same pattern as sunken-ship's + # bbbot. Not in global allowedTCPPorts, so the WAN side stays closed. + networking.firewall.interfaces."zt+".allowedTCPPorts = [ 8081 ]; + hardware.enableRedistributableFirmware = true; # iwlwifi (Intel 8260) + GPU + BT firmware boot.kernelParams = [ "consoleblank=60" ]; # blank TTY after 60s to reduce burn-in @@ -279,7 +284,7 @@ in }; serviceConfig = { WorkingDirectory = "/home/danny/shelfish"; - ExecStart = "${pythonEnv}/bin/python -m uvicorn server:app --host 127.0.0.1 --port 8081"; + ExecStart = "${pythonEnv}/bin/python -m uvicorn server:app --host 0.0.0.0 --port 8081"; Restart = "on-failure"; RestartSec = 10; User = "danny";