From eecb3973b1a211d22e925d200b817607a0ba28d6 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Wed, 25 Mar 2026 19:19:02 -0700
Subject: [PATCH] rift: allow port 53 for CoreDNS, vade: use rift as DNS

rift: sysctl to allow rootless containers to bind port 53, open
firewall for DNS queries from LAN clients.

vade: point nameservers at rift (LAN + Tailscale) for internal
service resolution via CoreDNS (MCNS precursor). Falls back to
1.1.1.1/8.8.8.8 via systemd-resolved.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 hw/rift/default.nix | 6 ++++++
 hw/vade/default.nix | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/hw/rift/default.nix b/hw/rift/default.nix
index 25237e8..30d3b5d 100644
--- a/hw/rift/default.nix
+++ b/hw/rift/default.nix
@@ -7,5 +7,11 @@
   ];
 
   config = {
+    # Allow rootless containers (Podman) to bind port 53 for CoreDNS (MCNS precursor).
+    boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 53;
+
+    # Open DNS port for LAN clients querying CoreDNS.
+    networking.firewall.allowedTCPPorts = [ 53 ];
+    networking.firewall.allowedUDPPorts = [ 53 ];
   };
 }
diff --git a/hw/vade/default.nix b/hw/vade/default.nix
index bd90145..4430184 100644
--- a/hw/vade/default.nix
+++ b/hw/vade/default.nix
@@ -38,4 +38,10 @@
       Driver "libinput"
     ''
   ];
+
+  # Use rift's CoreDNS (MCNS precursor) for internal service resolution.
+  networking.nameservers = [
+    "192.168.88.181"
+    "100.95.252.120"
+  ];
 }