From de754b0033d192fedcb2dbffeaab243774ff0b77 Mon Sep 17 00:00:00 2001
From: sid <sid@sid.ovh>
Date: Fri, 3 Apr 2026 15:16:28 +0200
Subject: [PATCH] use public domain for internal services via intra subdomain

---
 constants.nix                    |  9 +++------
 hosts/sid/services/headscale.nix | 18 ++++--------------
 hosts/sid/services/nginx.nix     |  2 +-
 3 files changed, 8 insertions(+), 21 deletions(-)

diff --git a/constants.nix b/constants.nix
index 44b9422..a647979 100644
--- a/constants.nix
+++ b/constants.nix
@@ -3,15 +3,12 @@ rec {
   hosts = {
     sid = {
       ip = "100.64.0.6";
-      domain = "sid.tail";
     };
     rx4 = {
       ip = "100.64.0.10";
-      domain = "rx4.tail";
     };
     vde = {
       ip = "100.64.0.1";
-      domain = "vde.tail";
     };
   };
   services = {
@@ -27,7 +24,7 @@ rec {
       port = 8085;
     };
     netdata = {
-      fqdn = "netdata.sid.tail";
+      fqdn = "netdata.intra." + domain;
       port = 19999;
     };
     open-webui-oci = {
@@ -43,11 +40,11 @@ rec {
       port = 1200;
     };
     vaultwarden = {
-      fqdn = "pw.rx4.tail";
+      fqdn = "pw.intra." + domain;
       port = 8222;
     };
     webdav = {
-      fqdn = "dav.rx4.tail";
+      fqdn = "dav.intra." + domain;
       port = 8080;
     };
   };
diff --git a/hosts/sid/services/headscale.nix b/hosts/sid/services/headscale.nix
index adb3296..1647e6a 100644
--- a/hosts/sid/services/headscale.nix
+++ b/hosts/sid/services/headscale.nix
@@ -21,11 +21,10 @@
       .:53 {
         bind ${hosts.sid.ip}
         hosts {
-          ${hosts.sid.ip} sid.tail
-          ${hosts.sid.ip} netdata.sid.tail
+          ${hosts.rx4.ip} ${services.vaultwarden.fqdn}
+          ${hosts.rx4.ip} ${services.webdav.fqdn}
           ${hosts.rx4.ip} rx4.tail
-          ${hosts.rx4.ip} dav.rx4.tail
-          ${hosts.rx4.ip} pw.rx4.tail
+          ${hosts.sid.ip} sid.tail
           ${hosts.vde.ip} vde.tail
           fallthrough
         }
@@ -54,16 +53,7 @@
     };
     settings = {
       dns = {
-        magic_dns = true;
-        base_domain = "tail";
-        search_domains = [ "tail" ];
-        override_local_dns = true;
-        nameservers = {
-          global = [ "1.1.1.1" ];
-          split = {
-            "tail" = [ constants.hosts.sid.ip ];
-          };
-        };
+        magic_dns = true; # NOTE: should coredns handle everything?
       };
     };
   };
diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix
index d3aaba8..0bc8752 100644
--- a/hosts/sid/services/nginx.nix
+++ b/hosts/sid/services/nginx.nix
@@ -35,7 +35,7 @@ in
       port = constants.services.miniflux.port;
     };
     virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost {
-      ssl = false;
+      inherit ssl;
       port = constants.services.netdata.port;
     };
     virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost {