feat(network): route tailscale dns through adguard

- Configure Headscale to use the VPS Tailscale IP (100.64.0.3) as the global DNS server instead of external providers.

- Add firewall rules to allow DNS requests over the `tailscale0` interface.

- Add iptables PREROUTING rules to redirect standard DNS (port 53) from Tailscale clients to AdGuard Home (port 5353) to resolve port conflicts with `aardvark-dns`.

modules/adguard.nix

@@ -159,6 +159,22 @@ in
     networking.firewall.allowedTCPPorts = [ 853 ];
     networking.firewall.allowedUDPPorts = [ 853 ];
 
+    # Allow Tailscale DNS requests
+    networking.firewall.interfaces."tailscale0" = {
+      allowedTCPPorts = [ 53 5353 ];
+      allowedUDPPorts = [ 53 5353 ];
+    };
+
+    # Redirect standard DNS port 53 to AdGuard Home's 5353 for Tailscale clients
+    networking.firewall.extraCommands = ''
+      iptables -t nat -A PREROUTING -i tailscale0 -p udp --dport 53 -j REDIRECT --to-ports 5353
+      iptables -t nat -A PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353
+    '';
+    networking.firewall.extraStopCommands = ''
+      iptables -t nat -D PREROUTING -i tailscale0 -p udp --dport 53 -j REDIRECT --to-ports 5353 || true
+      iptables -t nat -D PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353 || true
+    '';
+
     # Nginx configuration (kept to satisfy ACME challenges for DoT certificates)
     services.nginx.virtualHosts."${cfg.domain}" = {
       enableACME = true;

modules/headscale.nix

@@ -105,8 +105,7 @@ in
           domains = [ ];
           nameservers = {
             global = [
-              "https://dns.mullvad.net/dns-query"
-              "https://dns.quad9.net/dns-query"
+              "100.64.0.3"
             ];
           };
           override_local_dns = true;