From 8c9d8f4ff525e0e518197cd241633df94dde327b Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Thu, 26 Mar 2026 21:32:15 -0700 Subject: [PATCH] Fix DNS: restore Tailscale catch-all removal service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous commit removed the systemd service that stripped Tailscale's ~. DNS catch-all, breaking all DNS resolution — even when Tailscale is disconnected. Restore it as fix-tailscale-dns, which restricts tailscale0 to only route ~scylla-hammerhead.ts.net queries. Co-Authored-By: Claude Opus 4.6 (1M context) --- hw/vade/default.nix | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/hw/vade/default.nix b/hw/vade/default.nix index 9848e0c..c00b67a 100644 --- a/hw/vade/default.nix +++ b/hw/vade/default.nix @@ -40,11 +40,7 @@ '' ]; - # Internal Metacircular service addresses. Tailscale's MagicDNS intercepts - # *.mcp.metacircular.net queries (via its ~. catch-all on tailscale0) and - # returns wrong IPs. Static /etc/hosts entries bypass DNS entirely. - # When MCNS becomes a full service with proper DNS integration, this can - # be replaced with split-horizon DNS configuration. + # Internal Metacircular service addresses via /etc/hosts. networking.hosts = { "100.95.252.120" = [ "metacrypt.svc.mcp.metacircular.net" @@ -53,4 +49,21 @@ "rift.mcp.metacircular.net" ]; }; + + # Tailscale sets ~. (catch-all) on tailscale0, which hijacks all DNS + # queries — even when Tailscale is disconnected. Replace it with a + # specific routing domain so normal DNS resolution works. + systemd.services.fix-tailscale-dns = { + description = "Remove Tailscale DNS catch-all routing"; + after = [ "network-online.target" "tailscaled.service" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + ${pkgs.systemd}/bin/resolvectl domain tailscale0 ~scylla-hammerhead.ts.net + ''; + }; }