diff --git a/CLAUDE.md b/CLAUDE.md
index 6e75766..f2c0fb4 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -171,10 +171,13 @@ Services are organized by host in `nixos/<hostname>/services/`:
 - **Unfree packages**: Add to allowlist in `nixos/common/global/default.nix`
 
 ### Testing Changes
-1. Build configuration: `just build <hostname>`
-2. Check for evaluation errors: `nix flake check`
-3. Review changes before switching
-4. Switch: `just switch <hostname>` (local) or `just deploy <hostname>` (remote)
+1. **IMPORTANT**: Stage new files with git before building or checking
+   - Nix flakes only evaluate files tracked in git
+   - Run `git add <file>` for any new files before `nix flake check` or build
+2. Build configuration: `just build <hostname>`
+3. Check for evaluation errors: `nix flake check`
+4. Review changes before switching
+5. Switch: `just switch <hostname>` (local) or `just deploy <hostname>` (remote)
 
 ### Managing Secrets
 - Secrets are encrypted per-host and stored in
@@ -186,6 +189,23 @@ Services are organized by host in `nixos/<hostname>/services/`:
 
 ## Important Conventions
 
+### Network IP Allocation
+This infrastructure uses the following IP range scheme to avoid conflicts:
+
+**Allocated Ranges:**
+- `192.168.50.0/24` - Home router/main LAN
+- `10.1.0.0/24` - Internet sharing from fuchsia (Ethernet to printer)
+- `10.2.0.0/24` - Reserved for future internet sharing from another host
+- `10.3.0.0/24` - Reserved for future internet sharing from another host
+- `10.39.179.0/24` - WireGuard VPN on Raspberry Pi
+- `172.17.0.0/16` - Docker default bridge network (viridian)
+
+**Conventions:**
+- Internet connection sharing uses `10.N.0.0/24` where N is 1, 2, 3, etc.
+- Gateway host is always `10.N.0.1`
+- DHCP pools typically use `10.N.0.2` through `10.N.0.10`
+- Keep VPN/tunnel ranges in the `10.30.0.0/16` and higher space
+
 ### Line Length
 Keep all Nix code to a maximum of 100 characters per line for consistency.
 
diff --git a/nixos/fuchsia/services/default.nix b/nixos/fuchsia/services/default.nix
index b689b8e..28685fc 100644
--- a/nixos/fuchsia/services/default.nix
+++ b/nixos/fuchsia/services/default.nix
@@ -3,6 +3,7 @@
     ./amdgpu-clocks
     ./borgbackup
     ./flatpak
+    ./internet-sharing
     ./libinput
     ./pipewire
     ./printing
diff --git a/nixos/fuchsia/services/internet-sharing/default.nix b/nixos/fuchsia/services/internet-sharing/default.nix
new file mode 100644
index 0000000..b6459a3
--- /dev/null
+++ b/nixos/fuchsia/services/internet-sharing/default.nix
@@ -0,0 +1,76 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  # Internet connection sharing for 3D printer over Ethernet
+  # Shares WiFi connection (wlo1) to Ethernet (enp34s0) using 10.1.0.0/24
+
+  # Enable IP forwarding to route traffic between interfaces
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv6.conf.all.forwarding" = 1;
+  };
+
+  networking = {
+    # Tell NetworkManager not to manage the Ethernet interface
+    networkmanager.unmanaged = ["enp34s0"];
+
+    # Configure static IP on Ethernet interface
+    interfaces.enp34s0 = {
+      useDHCP = false;
+      ipv4.addresses = [
+        {
+          address = "10.1.0.1";
+          prefixLength = 24;
+        }
+      ];
+    };
+
+    # Firewall configuration for connection sharing
+    firewall = {
+      # Allow DHCP and DNS traffic on the Ethernet interface
+      interfaces.enp34s0 = {
+        allowedUDPPorts = [
+          53  # DNS queries
+          67  # DHCP server
+        ];
+      };
+
+      # Allow traffic forwarding
+      extraCommands = ''
+        # NAT: masquerade traffic from Ethernet going to WiFi
+        iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE
+        # Allow forwarding from Ethernet to WiFi
+        iptables -A FORWARD -i enp34s0 -o wlo1 -j ACCEPT
+        # Allow established connections back from WiFi to Ethernet
+        iptables -A FORWARD -i wlo1 -o enp34s0 -m state \
+          --state RELATED,ESTABLISHED -j ACCEPT
+      '';
+    };
+  };
+
+  # DHCP server for automatic IP assignment to printer
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      # Only listen on the Ethernet interface
+      interface = "enp34s0";
+      # Bind only to specified interface
+      bind-interfaces = true;
+      # Don't read /etc/resolv.conf
+      no-resolv = true;
+      # DHCP range: 10.1.0.2 through 10.1.0.10, 24h lease
+      dhcp-range = ["10.1.0.2,10.1.0.10,24h"];
+      # Upstream DNS: Pi-hole for ad-blocking and network-wide filtering
+      server = ["192.168.50.249"];
+      # Gateway for DHCP clients
+      dhcp-option = ["option:router,10.1.0.1"];
+      # Static DHCP reservation for 3D printer (BigTreeTech CB1)
+      dhcp-host = [
+        "5a:0a:da:dc:b8:2f,10.1.0.2,bigtreetech-cb1,infinite"
+      ];
+    };
+  };
+}