From b9ec5e8a7fc7998bca256e91f2b3e143f06ab36d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 10:18:36 -0800 Subject: [PATCH 01/17] Add match modules --- hosts/glyph/services/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index 55c463a..b150a30 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -49,8 +49,8 @@ ]; # Dynamically allocated ports for Roon Bridge opened for local network extraCommands = '' - iptables -A nixos-fw -p tcp --dport 30000:65535 -s 192.168.4.0/24 -j nixos-fw-accept - iptables -A nixos-fw -p udp --dport 30000:65535 -s 192.168.4.0/24 -j nixos-fw-accept + iptables -A nixos-fw -p tcp -m tcp --dport 30000:65535 -s 192.168.4.0/24 -j nixos-fw-accept + iptables -A nixos-fw -p udp -m udp --dport 30000:65535 -s 192.168.4.0/24 -j nixos-fw-accept ''; }; services.tailscale = { From a1ce6ef2849038d6c5e3a9d61815704e1307ecaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 10:20:21 -0800 Subject: [PATCH 02/17] Restore localhost access --- hosts/glyph/services/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index b150a30..11de9ad 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -51,6 +51,8 @@ extraCommands = '' iptables -A nixos-fw -p tcp -m tcp --dport 30000:65535 -s 192.168.4.0/24 -j nixos-fw-accept iptables -A nixos-fw -p udp -m udp --dport 30000:65535 -s 192.168.4.0/24 -j nixos-fw-accept + iptables -A nixos-fw -p tcp -m tcp --dport 30000:65535 -s 127.0.0.0/8 -j nixos-fw-accept + iptables -A nixos-fw -p udp -m udp --dport 30000:65535 -s 127.0.0.0/8 -j nixos-fw-accept ''; }; services.tailscale = { From d7f96c10c869f2a87e32d3894db5f9a0421011a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 10:29:27 -0800 Subject: [PATCH 03/17] Try bypassing remaining firewall rules --- hosts/glyph/services/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index 11de9ad..900403e 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -49,10 +49,10 @@ ]; # Dynamically allocated ports for Roon Bridge opened for local network extraCommands = '' - iptables -A nixos-fw -p tcp -m tcp --dport 30000:65535 -s 192.168.4.0/24 -j nixos-fw-accept - iptables -A nixos-fw -p udp -m udp --dport 30000:65535 -s 192.168.4.0/24 -j nixos-fw-accept - iptables -A nixos-fw -p tcp -m tcp --dport 30000:65535 -s 127.0.0.0/8 -j nixos-fw-accept - iptables -A nixos-fw -p udp -m udp --dport 30000:65535 -s 127.0.0.0/8 -j nixos-fw-accept + iptables -A nixos-fw -p tcp -m tcp --dport 30000:65535 -s 192.168.4.0/24 -j ACCEPT + iptables -A nixos-fw -p udp -m udp --dport 30000:65535 -s 192.168.4.0/24 -j ACCEPT + iptables -A nixos-fw -p tcp -m tcp --dport 30000:65535 -s 127.0.0.0/8 -j ACCEPT + iptables -A nixos-fw -p udp -m udp --dport 30000:65535 -s 127.0.0.0/8 -j ACCEPT ''; }; services.tailscale = { From df068c33e5a81d9d20b4ecb714b2907ddc06f4e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 10:32:27 -0800 Subject: [PATCH 04/17] Try reverting to earlier working config From a1f5a61 --- hosts/glyph/services/default.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index 900403e..fb9cc0c 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -49,10 +49,8 @@ ]; # Dynamically allocated ports for Roon Bridge opened for local network extraCommands = '' - iptables -A nixos-fw -p tcp -m tcp --dport 30000:65535 -s 192.168.4.0/24 -j ACCEPT - iptables -A nixos-fw -p udp -m udp --dport 30000:65535 -s 192.168.4.0/24 -j ACCEPT - iptables -A nixos-fw -p tcp -m tcp --dport 30000:65535 -s 127.0.0.0/8 -j ACCEPT - iptables -A nixos-fw -p udp -m udp --dport 30000:65535 -s 127.0.0.0/8 -j ACCEPT + iptables -A INPUT -p tcp --match multiport --dports 40000:65535 -s 192.168.0.0/24 -j ACCEPT + iptables -A INPUT -p tcp --match multiport --dports 40000:65535 -s 127.0.0.0/8 -j ACCEPT ''; }; services.tailscale = { From 9d3d2253dfb423a10a8c11e63190e3389e78b8fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 10:38:00 -0800 Subject: [PATCH 05/17] Try opening port 7000 --- hosts/glyph/services/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index fb9cc0c..02e1b5a 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -29,6 +29,7 @@ allowedTCPPorts = [ 554 # AirPlay streaming 3689 # Digital Audio Access Protocol (DAAP) + 7000 # AirPlay control 55002 # Roon ARC ]; allowedUDPPorts = [ From 4f28771ad573e9eee93b71339ae2500bb1026615 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 10:49:25 -0800 Subject: [PATCH 06/17] Allow Roon to use mDNS --- hosts/glyph/services/avahi.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/glyph/services/avahi.nix b/hosts/glyph/services/avahi.nix index 006204d..13a5c5d 100644 --- a/hosts/glyph/services/avahi.nix +++ b/hosts/glyph/services/avahi.nix @@ -6,11 +6,13 @@ services.avahi = { enable = true; nssmdns4 = true; + reflector = true; publish = { enable = true; userServices = true; workstation = true; }; + allowInterfaces = ["enp5s0"]; extraServiceFiles = { smb = '' From d6c88a51e49806f6d50921a7795cba7609cad00a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 11:24:36 -0800 Subject: [PATCH 07/17] Try config from forum post --- hosts/glyph/services/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index 02e1b5a..e7e3823 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -50,8 +50,8 @@ ]; # Dynamically allocated ports for Roon Bridge opened for local network extraCommands = '' - iptables -A INPUT -p tcp --match multiport --dports 40000:65535 -s 192.168.0.0/24 -j ACCEPT - iptables -A INPUT -p tcp --match multiport --dports 40000:65535 -s 127.0.0.0/8 -j ACCEPT + iptables -A INPUT -p tcp -j --dport 30000:65535 -s 192.168.4.0/24 ACCEPT + iptables -A INPUT -p udp -j --dport 30000:65535 -s 192.168.4.0/24 ACCEPT ''; }; services.tailscale = { From c055e388e5779bababb746124beeb447f50865e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 11:25:21 -0800 Subject: [PATCH 08/17] Revert "Try config from forum post" This reverts commit d6c88a51e49806f6d50921a7795cba7609cad00a. --- hosts/glyph/services/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index e7e3823..02e1b5a 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -50,8 +50,8 @@ ]; # Dynamically allocated ports for Roon Bridge opened for local network extraCommands = '' - iptables -A INPUT -p tcp -j --dport 30000:65535 -s 192.168.4.0/24 ACCEPT - iptables -A INPUT -p udp -j --dport 30000:65535 -s 192.168.4.0/24 ACCEPT + iptables -A INPUT -p tcp --match multiport --dports 40000:65535 -s 192.168.0.0/24 -j ACCEPT + iptables -A INPUT -p tcp --match multiport --dports 40000:65535 -s 127.0.0.0/8 -j ACCEPT ''; }; services.tailscale = { From 835536bbd15be6c613c84cd13f9229c869beb6f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 11:26:13 -0800 Subject: [PATCH 09/17] Try expanding ports and updating submask --- hosts/glyph/services/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index 02e1b5a..9db834f 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -50,7 +50,7 @@ ]; # Dynamically allocated ports for Roon Bridge opened for local network extraCommands = '' - iptables -A INPUT -p tcp --match multiport --dports 40000:65535 -s 192.168.0.0/24 -j ACCEPT + iptables -A INPUT -p tcp --match multiport --dports 30000:65535 -s 192.168.4.0/24 -j ACCEPT iptables -A INPUT -p tcp --match multiport --dports 40000:65535 -s 127.0.0.0/8 -j ACCEPT ''; }; From 75236788ab1c264edc578eb61db0a97071dbfc0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 11:28:08 -0800 Subject: [PATCH 10/17] UDP as well... --- hosts/glyph/services/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index 9db834f..87ad5a3 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -51,6 +51,7 @@ # Dynamically allocated ports for Roon Bridge opened for local network extraCommands = '' iptables -A INPUT -p tcp --match multiport --dports 30000:65535 -s 192.168.4.0/24 -j ACCEPT + iptables -A INPUT -p udp --match multiport --dports 30000:65535 -s 192.168.4.0/24 -j ACCEPT iptables -A INPUT -p tcp --match multiport --dports 40000:65535 -s 127.0.0.0/8 -j ACCEPT ''; }; From 1e96f9eb8e3980a4b1f3493b9cc489f482392704 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 11:30:14 -0800 Subject: [PATCH 11/17] Try disabling Avahi --- hosts/glyph/services/avahi.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/glyph/services/avahi.nix b/hosts/glyph/services/avahi.nix index 13a5c5d..8d8622b 100644 --- a/hosts/glyph/services/avahi.nix +++ b/hosts/glyph/services/avahi.nix @@ -4,7 +4,7 @@ ... }: { services.avahi = { - enable = true; + enable = false; nssmdns4 = true; reflector = true; publish = { From 5989803528d8117b7217672aae6303aabf0ce653 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 11:32:19 -0800 Subject: [PATCH 12/17] Revert "Try disabling Avahi" This reverts commit 1e96f9eb8e3980a4b1f3493b9cc489f482392704. --- hosts/glyph/services/avahi.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/glyph/services/avahi.nix b/hosts/glyph/services/avahi.nix index 8d8622b..13a5c5d 100644 --- a/hosts/glyph/services/avahi.nix +++ b/hosts/glyph/services/avahi.nix @@ -4,7 +4,7 @@ ... }: { services.avahi = { - enable = false; + enable = true; nssmdns4 = true; reflector = true; publish = { From af324fc92aa6a45f8fa369e9f332aa2c350b6792 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 11:41:01 -0800 Subject: [PATCH 13/17] Try allowing 6001/6002 --- hosts/glyph/services/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index 87ad5a3..463c4b7 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -37,6 +37,10 @@ 1900 # ssdp / Bonjour ]; allowedUDPPortRanges = [ + { + from = 6001; + to = 6002; + } # Bonjour { from = 5350; From 1c5ba1fcd6c0d18a64f44d0deb384d4b784f6b92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 11:44:17 -0800 Subject: [PATCH 14/17] Revert "Try opening port 7000" This reverts commit 9d3d2253dfb423a10a8c11e63190e3389e78b8fb. --- hosts/glyph/services/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index 463c4b7..41b50e7 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -29,7 +29,6 @@ allowedTCPPorts = [ 554 # AirPlay streaming 3689 # Digital Audio Access Protocol (DAAP) - 7000 # AirPlay control 55002 # Roon ARC ]; allowedUDPPorts = [ From 79b2281b1a2f1196cc28f1225e17da86b61667ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 11:46:11 -0800 Subject: [PATCH 15/17] Revert changes to iptables config --- hosts/glyph/services/default.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index 41b50e7..914318a 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -53,9 +53,8 @@ ]; # Dynamically allocated ports for Roon Bridge opened for local network extraCommands = '' - iptables -A INPUT -p tcp --match multiport --dports 30000:65535 -s 192.168.4.0/24 -j ACCEPT - iptables -A INPUT -p udp --match multiport --dports 30000:65535 -s 192.168.4.0/24 -j ACCEPT - iptables -A INPUT -p tcp --match multiport --dports 40000:65535 -s 127.0.0.0/8 -j ACCEPT + iptables -A nixos-fw -p tcp --dport 30000:65535 -s 192.168.4.0/24 -j nixos-fw-accept + iptables -A nixos-fw -p udp --dport 30000:65535 -s 192.168.4.0/24 -j nixos-fw-accept ''; }; services.tailscale = { From deddbe5cfebc224a685df28a7ddd3c3e621e2e28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 11:47:14 -0800 Subject: [PATCH 16/17] Revert changes to avahi config --- hosts/glyph/services/avahi.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/hosts/glyph/services/avahi.nix b/hosts/glyph/services/avahi.nix index 13a5c5d..006204d 100644 --- a/hosts/glyph/services/avahi.nix +++ b/hosts/glyph/services/avahi.nix @@ -6,13 +6,11 @@ services.avahi = { enable = true; nssmdns4 = true; - reflector = true; publish = { enable = true; userServices = true; workstation = true; }; - allowInterfaces = ["enp5s0"]; extraServiceFiles = { smb = '' From fec346974f469c6ce91bf499bc830af5cc21da3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Mon, 29 Dec 2025 11:47:56 -0800 Subject: [PATCH 17/17] Add comment --- hosts/glyph/services/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index 914318a..9e65e50 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -36,6 +36,7 @@ 1900 # ssdp / Bonjour ]; allowedUDPPortRanges = [ + # Apple Airplay { from = 6001; to = 6002;