From 136f024cf00de9016dd0557b664eec19567be2f7 Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Tue, 17 Feb 2026 21:28:28 -0800
Subject: [PATCH] Fix tailscale networking when incus is on

---
 common/network/tailscale.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/common/network/tailscale.nix b/common/network/tailscale.nix
index fbb6127..bbd3baa 100644
--- a/common/network/tailscale.nix
+++ b/common/network/tailscale.nix
@@ -10,6 +10,10 @@ in
 
   config.services.tailscale.enable = mkDefault (!config.boot.isContainer);
 
+  # Trust Tailscale interface - access control is handled by Tailscale ACLs.
+  # Required because nftables (used by Incus) breaks Tailscale's automatic iptables rules.
+  config.networking.firewall.trustedInterfaces = mkIf cfg.enable [ "tailscale0" ];
+
   # MagicDNS
   config.networking.nameservers = mkIf cfg.enable [ "1.1.1.1" "8.8.8.8" ];
   config.networking.search = mkIf cfg.enable [ "koi-bebop.ts.net" ];