feat(network): route tailscale dns through adguard

- Configure Headscale to use the VPS Tailscale IP (100.64.0.3) as the global DNS server instead of external providers. - Add firewall rules to allow DNS requests over the `tailscale0` interface. - Add iptables PREROUTING rules to redirect standard DNS (port 53) from Tailscale clients to AdGuard Home (port 5353) to resolve port conflicts with `aardvark-dns`.
2026-03-19 22:14:18 +01:00 · 2026-03-19 22:14:18 +01:00 · 1c76661538
commit 1c76661538
parent 4925420fdc
2 changed files with 17 additions and 2 deletions
--- a/modules/adguard.nix
+++ b/modules/adguard.nix
@ -159,6 +159,22 @@ in
    networking.firewall.allowedTCPPorts = [ 853 ];
    networking.firewall.allowedUDPPorts = [ 853 ];

+    # Allow Tailscale DNS requests
+    networking.firewall.interfaces."tailscale0" = {
+      allowedTCPPorts = [ 53 5353 ];
+      allowedUDPPorts = [ 53 5353 ];
+    };
+
+    # Redirect standard DNS port 53 to AdGuard Home's 5353 for Tailscale clients
+    networking.firewall.extraCommands = ''
+      iptables -t nat -A PREROUTING -i tailscale0 -p udp --dport 53 -j REDIRECT --to-ports 5353
+      iptables -t nat -A PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353
+    '';
+    networking.firewall.extraStopCommands = ''
+      iptables -t nat -D PREROUTING -i tailscale0 -p udp --dport 53 -j REDIRECT --to-ports 5353 || true
+      iptables -t nat -D PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353 || true
+    '';
+
    # Nginx configuration (kept to satisfy ACME challenges for DoT certificates)
    services.nginx.virtualHosts."${cfg.domain}" = {
      enableACME = true;
--- a/modules/headscale.nix
+++ b/modules/headscale.nix
@ -105,8 +105,7 @@ in
          domains = [ ];
          nameservers = {
            global = [
-              "https://dns.mullvad.net/dns-query"
-              "https://dns.quad9.net/dns-query"
+              "100.64.0.3"
            ];
          };
          override_local_dns = true;