From c5d82b0942790f51b64dd56a7bd9c585c268220b Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 3 Mar 2026 11:15:02 -0800
Subject: [PATCH] Trust k3s CNI interfaces in ringtail NixOS firewall

The NixOS firewall was blocking pod-to-host TCP traffic because only
tailscale0 was trusted. Pods could ping the host but not reach the
API server (port 6443), breaking Tailscale Ingress TLS cert refresh
and all ringtail services (authentik, frigate, ntfy, ollama).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 nixos/ringtail/configuration.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/nixos/ringtail/configuration.nix b/nixos/ringtail/configuration.nix
index 5a0035b..db682f6 100644
--- a/nixos/ringtail/configuration.nix
+++ b/nixos/ringtail/configuration.nix
@@ -155,8 +155,10 @@ in
     extraUpFlags = [ "--accept-routes" "--ssh" ];
   };
 
-  # Trust Tailscale interface (ArgoCD on indri connects via tailnet)
-  networking.firewall.trustedInterfaces = [ "tailscale0" ];
+  # Trust Tailscale and k3s CNI interfaces
+  # - tailscale0: ArgoCD on indri connects via tailnet
+  # - cni0/flannel.1: k3s pod overlay network (pods must reach host API server)
+  networking.firewall.trustedInterfaces = [ "tailscale0" "cni0" "flannel.1" ];
 
   # SSH
   services.openssh = {