From 1c766615386b115d253c861dfc3f64c0500f39bc Mon Sep 17 00:00:00 2001
From: ashisgreat22 <dev@ashisgreat.xyz>
Date: Thu, 19 Mar 2026 22:14:18 +0100
Subject: [PATCH] feat(network): route tailscale dns through adguard

- Configure Headscale to use the VPS Tailscale IP (100.64.0.3) as the global DNS server instead of external providers.

- Add firewall rules to allow DNS requests over the `tailscale0` interface.

- Add iptables PREROUTING rules to redirect standard DNS (port 53) from Tailscale clients to AdGuard Home (port 5353) to resolve port conflicts with `aardvark-dns`.
---
 modules/adguard.nix   | 16 ++++++++++++++++
 modules/headscale.nix |  3 +--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/modules/adguard.nix b/modules/adguard.nix
index a4920a9..0e3aacb 100644
--- a/modules/adguard.nix
+++ b/modules/adguard.nix
@@ -159,6 +159,22 @@ in
     networking.firewall.allowedTCPPorts = [ 853 ];
     networking.firewall.allowedUDPPorts = [ 853 ];
 
+    # Allow Tailscale DNS requests
+    networking.firewall.interfaces."tailscale0" = {
+      allowedTCPPorts = [ 53 5353 ];
+      allowedUDPPorts = [ 53 5353 ];
+    };
+
+    # Redirect standard DNS port 53 to AdGuard Home's 5353 for Tailscale clients
+    networking.firewall.extraCommands = ''
+      iptables -t nat -A PREROUTING -i tailscale0 -p udp --dport 53 -j REDIRECT --to-ports 5353
+      iptables -t nat -A PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353
+    '';
+    networking.firewall.extraStopCommands = ''
+      iptables -t nat -D PREROUTING -i tailscale0 -p udp --dport 53 -j REDIRECT --to-ports 5353 || true
+      iptables -t nat -D PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353 || true
+    '';
+
     # Nginx configuration (kept to satisfy ACME challenges for DoT certificates)
     services.nginx.virtualHosts."${cfg.domain}" = {
       enableACME = true;
diff --git a/modules/headscale.nix b/modules/headscale.nix
index 704fc5c..f9a2275 100644
--- a/modules/headscale.nix
+++ b/modules/headscale.nix
@@ -105,8 +105,7 @@ in
           domains = [ ];
           nameservers = {
             global = [
-              "https://dns.mullvad.net/dns-query"
-              "https://dns.quad9.net/dns-query"
+              "100.64.0.3"
             ];
           };
           override_local_dns = true;