From ad55793d414d32c0f9a150cf908a827ed9051b41 Mon Sep 17 00:00:00 2001
From: ashisgreat22 <dev@ashisgreat.xyz>
Date: Sat, 21 Mar 2026 19:52:13 +0000
Subject: [PATCH] fix(netdata): add firewall rule for direct Tailscale access

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 modules/netdata.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/netdata.nix b/modules/netdata.nix
index 7e3738c..1e2b6b7 100644
--- a/modules/netdata.nix
+++ b/modules/netdata.nix
@@ -53,6 +53,11 @@ in
       internalOnly = true;
       contentSecurityPolicy = null;  # Netdata dashboard has its own CSP requirements, cannot be overridden
     };
+
+    # Allow direct Tailscale access to Netdata port
+    networking.firewall.extraCommands = lib.mkAfter ''
+      iptables -I INPUT 1 -p tcp --dport ${toString cfg.port} -s 100.64.0.0/10 -j ACCEPT
+    '';
   };
 
 }
\ No newline at end of file