Remove implicit reliance on temp iptables rules. All externally
accessible ports are now declared in NixOS config.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
rift: sysctl to allow rootless containers to bind port 53, open
firewall for DNS queries from LAN clients.
vade: point nameservers at rift (LAN + Tailscale) for internal
service resolution via CoreDNS (MCNS precursor). Falls back to
1.1.1.1/8.8.8.8 via systemd-resolved.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
