Fix DNS routing: override Tailscale catch-all for mcp.metacircular.net

hw/vade/default.nix

@@ -41,13 +41,33 @@
   ];
 
   # Route internal Metacircular zones to rift's CoreDNS (MCNS precursor).
-  # Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net
+  # Tailscale sets ~. (catch-all) on tailscale0, which overrides global
-  # while DHCP/Tailscale DNS handles everything else.
+  # domain routing. We need a per-link override that takes priority.
+  # This systemd service runs after tailscale and adds the routing domain
+  # to a virtual interface that points at rift's CoreDNS.
   networking.nameservers = [
     "192.168.88.181"
     "100.95.252.120"
   ];
-  services.resolved.domains = [
+
-    "~mcp.metacircular.net"
+  systemd.services.mcp-dns-route = {
-  ];
+    description = "Route mcp.metacircular.net DNS to rift CoreDNS";
+    after = [ "network-online.target" "tailscaled.service" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    # Tailscale sets ~. (catch-all) on tailscale0, overriding all other
+    # DNS routing. We replace it with specific routes: Tailscale names
+    # stay on Tailscale DNS, and mcp.metacircular.net goes to rift's
+    # CoreDNS (via the Tailscale overlay).
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      # Add rift's CoreDNS alongside Tailscale's DNS on the tailscale0 link
+      ${pkgs.systemd}/bin/resolvectl dns tailscale0 100.100.100.100 100.95.252.120
+      # Replace ~. with specific routing domains
+      ${pkgs.systemd}/bin/resolvectl domain tailscale0 ~scylla-hammerhead.ts.net ~mcp.metacircular.net
+    '';
+  };
 }