Fix DNS: restore Tailscale catch-all removal service

The previous commit removed the systemd service that stripped Tailscale's
~. DNS catch-all, breaking all DNS resolution — even when Tailscale is
disconnected. Restore it as fix-tailscale-dns, which restricts tailscale0
to only route ~scylla-hammerhead.ts.net queries.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

hw/vade/default.nix

@@ -40,11 +40,7 @@
     ''
   ];
 
-  # Internal Metacircular service addresses. Tailscale's MagicDNS intercepts
+  # Internal Metacircular service addresses via /etc/hosts.
-  # *.mcp.metacircular.net queries (via its ~. catch-all on tailscale0) and
-  # returns wrong IPs. Static /etc/hosts entries bypass DNS entirely.
-  # When MCNS becomes a full service with proper DNS integration, this can
-  # be replaced with split-horizon DNS configuration.
   networking.hosts = {
     "100.95.252.120" = [
       "metacrypt.svc.mcp.metacircular.net"
@@ -53,4 +49,21 @@
       "rift.mcp.metacircular.net"
     ];
   };
+
+  # Tailscale sets ~. (catch-all) on tailscale0, which hijacks all DNS
+  # queries — even when Tailscale is disconnected. Replace it with a
+  # specific routing domain so normal DNS resolution works.
+  systemd.services.fix-tailscale-dns = {
+    description = "Remove Tailscale DNS catch-all routing";
+    after = [ "network-online.target" "tailscaled.service" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      ${pkgs.systemd}/bin/resolvectl domain tailscale0 ~scylla-hammerhead.ts.net
+    '';
+  };
 }