Split DNS servers: alexandria for LAN, trantor for tailnet

Alexandria's unbound now only serves LAN clients (192.168.0.0/16) and
returns LAN IPs for service domains.

Created new unbound instance on trantor to serve Tailscale clients
(100.64.0.0/10) and return tailscale IPs for service domains.

Both configurations pull service records from shared/services.nix.

hosts/alexandria/unbound.nix

@@ -1,13 +1,10 @@
-{ config, inputs, lib, ... }:
+{ inputs, lib, ... }:
 
 let
   utils = import ../../utils.nix { inherit inputs lib; };
-  inherit (utils) mkSplitDNS;
 in
 
 {
-  imports = [ ../modules/split-dns.nix ];
-
   services.unbound = {
     enable = true;
     enableRootTrustAnchor = true;
@@ -20,16 +17,7 @@ in
         access-control = [
           "127.0.0.0/8 allow"
           "192.168.0.0/16 allow"
-          "100.64.0.0/10 allow" # Tailscale CGNAT range
           "::1/128 allow"
-          "fd7a:115c:a1e0::/48 allow" # Tailscale IPv6
-        ];
-
-        # Enable views for split DNS
-        access-control-view = [
-          "100.64.0.0/10 tailscale"
-          "fd7a:115c:a1e0::/48 tailscale"
-          "192.168.0.0/16 lan"
         ];
 
         num-threads = 2;
@@ -43,9 +31,12 @@ in
         hide-version = true;
         so-rcvbuf = "1m";
         so-sndbuf = "1m";
+
+        # LAN-only DNS records
+        local-zone = ''"baduhai.dev." transparent'';
+        local-data = map (e: ''"${e.domain}. IN A ${e.lanIP}"'')
+          (lib.filter (e: e ? lanIP) utils.services);
       };
-      # Split DNS views - automatically collected from all service files
-      view = mkSplitDNS config.services.splitDNS.entries;
 
       forward-zone = [
         {

hosts/trantor/unbound.nix

@@ -0,0 +1,58 @@
+{ inputs, lib, ... }:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+in
+
+{
+  services.unbound = {
+    enable = true;
+    enableRootTrustAnchor = true;
+    settings = {
+      server = {
+        interface = [
+          "0.0.0.0"
+          "::"
+        ];
+        access-control = [
+          "127.0.0.0/8 allow"
+          "100.64.0.0/10 allow" # Tailscale CGNAT range
+          "::1/128 allow"
+          "fd7a:115c:a1e0::/48 allow" # Tailscale IPv6
+        ];
+
+        num-threads = 2;
+        msg-cache-size = "50m";
+        rrset-cache-size = "100m";
+        cache-min-ttl = 300;
+        cache-max-ttl = 86400;
+        prefetch = true;
+        prefetch-key = true;
+        hide-identity = true;
+        hide-version = true;
+        so-rcvbuf = "1m";
+        so-sndbuf = "1m";
+
+        # Tailnet DNS records from shared services
+        local-zone = ''"baduhai.dev." transparent'';
+        local-data = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') utils.services;
+      };
+
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "1.1.1.1@853#cloudflare-dns.com"
+            "1.0.0.1@853#cloudflare-dns.com"
+          ];
+          forward-tls-upstream = true;
+        }
+      ];
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}

nixosConfigurations.nix

@@ -40,7 +40,6 @@ in
       tags = [
         # "server" TODO: uncomment when 25.11 is out.
         "fwupd"
-        "podman"
       ];
     };