Split DNS servers: alexandria for LAN, trantor for tailnet

Alexandria's unbound now only serves LAN clients (192.168.0.0/16) and returns LAN IPs for service domains. Created new unbound instance on trantor to serve Tailscale clients (100.64.0.0/10) and return tailscale IPs for service domains. Both configurations pull service records from shared/services.nix.
2025-11-08 21:35:53 -03:00 · 2025-11-08 21:35:53 -03:00 · ee1a7c4d18
commit ee1a7c4d18
parent 8d8847e2fb
3 changed files with 64 additions and 16 deletions
--- a/hosts/alexandria/unbound.nix
+++ b/hosts/alexandria/unbound.nix
@ -1,13 +1,10 @@
-{ config, inputs, lib, ... }:
+{ inputs, lib, ... }:

 let
  utils = import ../../utils.nix { inherit inputs lib; };
-  inherit (utils) mkSplitDNS;
 in

 {
-  imports = [ ../modules/split-dns.nix ];
-
  services.unbound = {
    enable = true;
    enableRootTrustAnchor = true;
@ -20,16 +17,7 @@ in
        access-control = [
          "127.0.0.0/8 allow"
          "192.168.0.0/16 allow"
-          "100.64.0.0/10 allow" # Tailscale CGNAT range
          "::1/128 allow"
-          "fd7a:115c:a1e0::/48 allow" # Tailscale IPv6
-        ];
-
-        # Enable views for split DNS
-        access-control-view = [
-          "100.64.0.0/10 tailscale"
-          "fd7a:115c:a1e0::/48 tailscale"
-          "192.168.0.0/16 lan"
        ];

        num-threads = 2;
@ -43,9 +31,12 @@ in
        hide-version = true;
        so-rcvbuf = "1m";
        so-sndbuf = "1m";
+
+        # LAN-only DNS records
+        local-zone = ''"baduhai.dev." transparent'';
+        local-data = map (e: ''"${e.domain}. IN A ${e.lanIP}"'')
+          (lib.filter (e: e ? lanIP) utils.services);
      };
-      # Split DNS views - automatically collected from all service files
-      view = mkSplitDNS config.services.splitDNS.entries;

      forward-zone = [
        {