dannydannydanny/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

phantom-ship: open shelfish (:8081) on ZT iface, bind 0.0.0.0

Browse source 
shelfish was only listening on 127.0.0.1 — vps-relay's Caddy
couldn't reach it over the ZT mesh. Bind 0.0.0.0 and allow 8081
inbound on \`zt+\` interfaces (not the global firewall — same
pattern sunken-ship uses for bbbot).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Danny 2026-05-03 06:39:57 +02:00
parent 0b20c375b5
commit f599a76aba
1 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
nixos/hosts/phantom-ship.nix
View file

@ -48,6 +48,11 @@ in
}; };
networking.firewall.trustedInterfaces = [ "enp0s31f6" ]; networking.firewall.trustedInterfaces = [ "enp0s31f6" ];
# Shelfish HTTP (8081) is reachable only over the ZeroTier mesh — the
# vps-relay Caddy reverse-proxies into it. Same pattern as sunken-ship's
# bbbot. Not in global allowedTCPPorts, so the WAN side stays closed.
networking.firewall.interfaces."zt+".allowedTCPPorts = [ 8081 ];
hardware.enableRedistributableFirmware = true; # iwlwifi (Intel 8260) + GPU + BT firmware hardware.enableRedistributableFirmware = true; # iwlwifi (Intel 8260) + GPU + BT firmware
boot.kernelParams = [ "consoleblank=60" ]; # blank TTY after 60s to reduce burn-in boot.kernelParams = [ "consoleblank=60" ]; # blank TTY after 60s to reduce burn-in
@ -279,7 +284,7 @@ in
}; };
serviceConfig = { serviceConfig = {
WorkingDirectory = "/home/danny/shelfish"; WorkingDirectory = "/home/danny/shelfish";
ExecStart = "${pythonEnv}/bin/python -m uvicorn server:app --host 127.0.0.1 --port 8081"; ExecStart = "${pythonEnv}/bin/python -m uvicorn server:app --host 0.0.0.0 --port 8081";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = 10; RestartSec = 10;
User = "danny"; User = "danny";