From 3ad59a986abacbd36a4e80893f9da4a0a487e603 Mon Sep 17 00:00:00 2001
From: David Crompton <davidcrompton@duck.com>
Date: Wed, 11 Feb 2026 22:20:03 -0500
Subject: [PATCH] hippocampus: perfect pitch: net tun device

---
 machines/hippocampus/servers/public/perfect_pitch.nix | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/machines/hippocampus/servers/public/perfect_pitch.nix b/machines/hippocampus/servers/public/perfect_pitch.nix
index 88879e5..d649349 100644
--- a/machines/hippocampus/servers/public/perfect_pitch.nix
+++ b/machines/hippocampus/servers/public/perfect_pitch.nix
@@ -10,7 +10,7 @@
     };
     script = ''
       exec ${config.systemd.package}/bin/systemd-nspawn --hostname perfectpitch \
-        --resolv-conf=off --system-call-filter="add_key keyctl bpf" --bind /dev/fuse \
+        --resolv-conf=off --system-call-filter="add_key keyctl bpf" --bind /dev/fuse --bind /dev/net/tun \
         -nbD /var/lib/machines/perfectpitch --machine perfectpitch
     '';
     postStart = ''
@@ -22,7 +22,10 @@
       Type = "notify";
       Slice = "machine.slice";
       Delegate = true;
-      DeviceAllow = "/dev/fuse rwm";
+      DeviceAllow = [
+        "/dev/fuse rwm"
+        "/dev/net/tun rwm"
+      ];
     };
   };
   networking.nat = {