Route DNS based on service visibility flags

Replace wildcard DNS with dynamic service-based routing that reads from shared/services.nix. Public services (forgejo, vaultwarden, nextcloud) point to trantor's public IP for external access, while private services (kanidm, jellyfin) point to tailscale IPs for internal-only access. This provides granular control over service exposure without manual DNS management. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-09 11:20:21 -03:00 · 2025-11-09 11:20:21 -03:00 · ad9d565a8f
commit ad9d565a8f
parent 878c4aa3ea
2 changed files with 49 additions and 27 deletions
--- a/shared/services.nix
+++ b/shared/services.nix
@ -8,7 +8,6 @@
      name = "kanidm";
      domain = "auth.baduhai.dev";
      host = "alexandria";
-      public = false;
      lanIP = "192.168.15.142";
      tailscaleIP = "100.76.19.50";
      port = 8443;
@ -43,7 +42,6 @@
      name = "jellyfin";
      domain = "jellyfin.baduhai.dev";
      host = "alexandria";
-      public = false;
      lanIP = "192.168.15.142";
      tailscaleIP = "100.76.19.50";
      port = 8096;