All nodes now list 1.1.1.1 and 8.8.8.8 as fallback nameservers after
MCNS. When MCNS is down, internal names (.svc.mcp.metacircular.net)
fail but external DNS (google.com, github.com, etc.) keeps working.
Lesson from 2026-04-03 incident: without fallbacks, MCNS failure
caused total DNS blackout including external services, forcing
Tailscale to be disabled to restore any DNS resolution.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Install mciasctl, mciasgrpcctl, mcrctl, and mcproxyctl via new
configs/mcpkg.nix module. Adds flake inputs for mcias, mcr, and
mc-proxy from git.wntrmute.dev.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove implicit reliance on temp iptables rules. All externally
accessible ports are now declared in NixOS config.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
rift: sysctl to allow rootless containers to bind port 53, open
firewall for DNS queries from LAN clients.
vade: point nameservers at rift (LAN + Tailscale) for internal
service resolution via CoreDNS (MCNS precursor). Falls back to
1.1.1.1/8.8.8.8 via systemd-resolved.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
