Why can't I connect to a nixos-container service from another [non-container] service on the same host?

Basically I’m trying to get my [non-container] traefik reverse proxy wired up to an uptime-kuma containerized service… I can get it to work when uptime-kuma is not in a container by pointing it towards localhost, but am really struggling with the limited guidance I can find on the wiki, googling etc to connect to it when its in a [nixos systemd-nspawn] container.

Here is my current config for the service:

{ 
  config, 
  configVars,
  pkgs, 
  lib,
  ... 
}:

let
  app = "uptime-kuma";
  appContainerIp = "172.21.1.3";
in

{

  containers.${app} = {
    autoStart = true;
    ephemeral = true;
    privateNetwork = true;
    hostAddress = "${configVars.aspenIp}";
    localAddress = "${appContainerIp}";
    #forwardPorts = [ # I don't think port forwarding should be necessary but doesn't work regardless.
    #{
    #  containerPort = 3001;
    #  hostPort = 3001;
    #  protocol = "tcp";
    #}
    #];
    config = {config, pkgs, lib, ...}: {
      services = {
        ${app}.enable = true;
        resolved = {
          enable = true; # use systemd-resolved for DNS functionality inside container
          llmnr = "false"; # disable link-local multicast name resolution inside container
        };
      };
      networking = {
        firewall = {
          enable = true;
          allowedTCPPorts = [ 3001 ];
        };
        useHostResolvConf = lib.mkForce false; # use systemd-resolved inside the container
      };
      system.stateVersion = "23.11";
    };
  };

  services.traefik.dynamicConfigOptions.http = {
    routers.${app} = {
      entrypoints = ["websecure"];
      rule = "Host(`${app}.${configVars.domain3}`)";
      service = "${app}";
      middlewares = [
        #"authelia" 
        "secure-headers"
      ];
      tls = {
        certResolver = "cloudflareDns";
        options = "tls-13@file";
      };
    };
    services.${app} = {
      loadBalancer = {
        passHostHeader = true;
        servers = [
        {
          #url = "http://localhost:3001"; # only works when uptime-kuma is not running in a container
          #url = "${appContainerIp}:3001"; # 404 not found error in the traefik access log
          url = "http://${appContainerIp}:3001"; # what I think should work from reading the wiki page but 502 bad gateway error in the traefik access log
          #url = "http://${appContainerIp}:3001"; # something chatGPT reccomended but 502 bad gateway error in the traefik access log
        }
        ];
      };
    };
  };

}

Here is my networking config for the host:

{ 
  lib, 
  config, 
  pkgs, 
  ... 
}: 

{

  services.resolved = {
    enable = true; # use systemd-resolved for DNS functionality
    llmnr = "false"; # disable link-local multicast name resolution
  };

  networking = {
    useDHCP = false; # disable defaut dhcpcd networking backend in favor of systemd-networkd enabled below
    hostName = "aspen";
    firewall = {
      enable = false;
    };
    nat = { # allow specific nixos-containers to reach outside network
      enable = true;
      internalInterfaces = ["ve-uptime-kuma"];
      externalInterface = "enp0s3";
      enableIPv6 = false;
    };
  };

  systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; # for wait-online error - need to find proper solution
  systemd.network = {
    enable = true;
    #wait-online.anyInterface = true; # systemd's wait-online target only requires that at least one managed interface be up instead of all managed interfaces
    networks = {
      "05-loopback" = {
        matchConfig.Name = "lo";
        linkConfig.RequiredForOnline = "no";
      };    
      "10-ethernet" = {
        matchConfig.Name = "enp0s3";
        networkConfig.DHCP = "ipv4";
        dhcpV4Config.RouteMetric = 300;
        dhcpV6Config.RouteMetric = 300;
        linkConfig.RequiredForOnline = "no";
      };    
    };
  };
}

It’s been a while for me, but don’t you need host-level network interface configuration? Checkout the options in https://nixos.org/manual/nixos/stable/options#opt-networking.bridges NixOS Manual

I think you need to define it in the host, and use it in the container config

This thread might have good examples Bridge network for containers - #3 by Juggler