Fix DNS: restore Tailscale catch-all removal service

The previous commit removed the systemd service that stripped Tailscale's ~. DNS catch-all, breaking all DNS resolution — even when Tailscale is disconnected. Restore it as fix-tailscale-dns, which restricts tailscale0 to only route ~scylla-hammerhead.ts.net queries. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 21:32:15 -07:00
parent 0e54bd5fe7
commit 8c9d8f4ff5
1 changed files with 18 additions and 5 deletions
--- a/hw/vade/default.nix
+++ b/hw/vade/default.nix
@@ -40,11 +40,7 @@
    ''
  ];

-  # Internal Metacircular service addresses. Tailscale's MagicDNS intercepts
-  # *.mcp.metacircular.net queries (via its ~. catch-all on tailscale0) and
-  # returns wrong IPs. Static /etc/hosts entries bypass DNS entirely.
-  # When MCNS becomes a full service with proper DNS integration, this can
-  # be replaced with split-horizon DNS configuration.
+  # Internal Metacircular service addresses via /etc/hosts.
  networking.hosts = {
    "100.95.252.120" = [
      "metacrypt.svc.mcp.metacircular.net"
@@ -53,4 +49,21 @@
      "rift.mcp.metacircular.net"
    ];
  };
+
+  # Tailscale sets ~. (catch-all) on tailscale0, which hijacks all DNS
+  # queries — even when Tailscale is disconnected. Replace it with a
+  # specific routing domain so normal DNS resolution works.
+  systemd.services.fix-tailscale-dns = {
+    description = "Remove Tailscale DNS catch-all routing";
+    after = [ "network-online.target" "tailscaled.service" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      ${pkgs.systemd}/bin/resolvectl domain tailscale0 ~scylla-hammerhead.ts.net
+    '';
+  };
 }