5 changed files with 52 additions and 58 deletions
--- a/constants.nix
+++ b/constants.nix
@ -1,15 +1,17 @@
 rec {
  domain = "sid.ovh";
-  intranet = "intra." + domain;
  hosts = {
    sid = {
      ip = "100.64.0.6";
+      domain = "sid.tail";
    };
    rx4 = {
      ip = "100.64.0.10";
+      domain = "rx4.tail";
    };
    vde = {
      ip = "100.64.0.1";
+      domain = "vde.tail";
    };
  };
  services = {
@ -25,7 +27,7 @@ rec {
      port = 8085;
    };
    netdata = {
-      fqdn = "netdata." + intranet;
+      fqdn = "netdata.sid.tail";
      port = 19999;
    };
    open-webui-oci = {
@ -41,11 +43,11 @@ rec {
      port = 1200;
    };
    vaultwarden = {
-      fqdn = "pw." + intranet;
+      fqdn = "pw.rx4.tail";
      port = 8222;
    };
    webdav = {
-      fqdn = "dav." + intranet;
+      fqdn = "dav.rx4.tail";
      port = 8080;
    };
  };
--- a/hosts/rx4/services/vaultwarden.nix
+++ b/hosts/rx4/services/vaultwarden.nix
@ -1,12 +1,14 @@
 {
  constants,
  config,
+  lib,
  ...
 }:

 let
  inherit (constants) domain;
  inherit (constants.services.vaultwarden) fqdn port;
+  inherit (lib) mkForce;
 in
 {
  services.vaultwarden = {
@ -15,7 +17,7 @@ in
    dbBackend = "postgresql";
    configurePostgres = true;

-    configureNginx = false;
+    configureNginx = true;
    domain = fqdn;

    environmentFile = [ config.sops.templates."vaultwarden/env-file".path ];
@ -36,6 +38,8 @@ in
    };
  };

+  services.nginx.virtualHosts."${fqdn}".forceSSL = mkForce false; # let Tailnet handle SSL
+
  sops =
    let
      owner = config.users.users.vaultwarden.name;
--- a/hosts/sid/secrets/secrets.yaml
+++ b/hosts/sid/secrets/secrets.yaml
@ -32,7 +32,6 @@ mailserver:
        vaultwarden: ENC[AES256_GCM,data:nSiiyurI0pNGlJiHpgu5jUQIq688IbPKlJCvx4jrFN9TwIY+kfVOaO4KWKkavBYfMZqMuEBr7EAdRULS,iv:OpgfXl1uYLgjOGDTkXFj/wPFUoE6uK89gtXLsB2x6gE=,tag:knJkNQnRCNcc/2nKBYdVCw==,type:str]
 radicale:
    sid: ENC[AES256_GCM,data:/OgIrXnGttIymGw98feiUjKPOIlrgRIC0TNCdBnuJOiA0RzbF0b9SMVzwEZiTEmS82g2lSvxQkE4kZjeOgOC0RLvCyZAmtWojq+g1pN0qhEkhwH0Qtu9wNnSYHuRqh2E5nWzHNGl/eF6zQ==,iv:5XtlyXjpB+XrVvJ7IoM7Gu63xA8vYrcJjUjLPmOMAIU=,tag:SAuYl/wzxnINyVWn9nI5yA==,type:str]
-hetzner-dns-api-key: ENC[AES256_GCM,data:KQooOZjQMtCSVqMI8yKVEk0xebTEuNs5WsxTDC9kcXdGZIgq8ZIEk5ku94EV95i0ad9y5Zx0ozt7aWcNHiMMfQ==,iv:jssQ7PejT5awmeMowdSIEFKDfLW7PWvsd++lh9/MlXs=,tag:UoNRz9neDzDxDjmGmBNPjA==,type:str]
 sops:
    age:
        - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
@ -53,7 +52,7 @@ sops:
            RzhnczA0S1pxcXZncGpWVHNYQW96L28K+ytH3PPyg4+wibpAQhp02RiSfZ83EDRB
            UJ8UV1d+51D0e2A1sI95r2AzDj4jfwUnI+LYDPC/qEpsu5LFLGVyeg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-03T13:35:11Z"
-    mac: ENC[AES256_GCM,data:fUOfIHeXjpDe57Q5sTYFlAefk1JpX2uvwmgpr9Mvl7pH47NBJUnQjC2NH5e89gc08H91ZYD8T4xE2e/E0zBb4rnW6geVpTPfV7NTj/HPOpRZCj/4ikMv/u6cFDODSThTRRRm4rBhFv2jpNR9Ez50OxOxbOGXILEAaQ1yytyVQKs=,iv:5F85fPxdab1KKHN978stzLhFTOH811+qwFZ0mP13Dx0=,tag:euM1ecdQX1d5L9ViZZknQw==,type:str]
+    lastmodified: "2026-04-03T11:37:47Z"
+    mac: ENC[AES256_GCM,data:5f4/mIJzzvKhZjES4WA0Ds2g642FDS03oSmH4dUi0pnF01aQD75eZ0HI3vcdks6kY+b5xyH5BJ283cgrnIiG2oPjYsIt8ULFnXZql31QQJArirYC35qf5lIiN4gC0ObzC5nSTR4rzrqpWtmf2vrvxDXWftK+JdwPyPjk/4IAu50=,iv:tfHDum7KB+nYQnxfukm+w/BotWW+Itmn11yy6O4V6oE=,tag:0/sFkH9Z2ZP2wzVfJEYFqA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.1
--- a/hosts/sid/services/headscale.nix
+++ b/hosts/sid/services/headscale.nix
@ -1,5 +1,6 @@
 {
  inputs,
+  constants,
  ...
 }:

@ -9,6 +10,33 @@
    inputs.synix.nixosModules.headscale
  ];

+  services.resolved.enable = false;
+  networking.resolvconf.enable = false;
+
+  networking.nameservers = [ constants.hosts.sid.ip ];
+
+  services.coredns = {
+    enable = true;
+    config = with constants; ''
+      .:53 {
+        bind ${hosts.sid.ip}
+        hosts {
+          ${hosts.sid.ip} sid.tail
+          ${hosts.sid.ip} netdata.sid.tail
+          ${hosts.rx4.ip} rx4.tail
+          ${hosts.rx4.ip} dav.rx4.tail
+          ${hosts.rx4.ip} pw.rx4.tail
+          ${hosts.vde.ip} vde.tail
+          fallthrough
+        }
+        forward . 1.1.1.1
+        cache
+        log
+        errors
+      }
+    '';
+  };
+
  services.headplane = {
    enable = true;
    reverseProxy = {
@ -26,7 +54,16 @@
    };
    settings = {
      dns = {
-        magic_dns = true; # NOTE: should coredns handle everything?
+        magic_dns = true;
+        base_domain = "tail";
+        search_domains = [ "tail" ];
+        override_local_dns = true;
+        nameservers = {
+          global = [ "1.1.1.1" ];
+          split = {
+            "tail" = [ constants.hosts.sid.ip ];
+          };
+        };
      };
    };
  };
--- a/hosts/sid/services/nginx.nix
+++ b/hosts/sid/services/nginx.nix
@ -1,7 +1,6 @@
 {
  inputs,
  constants,
-  config,
  lib,
  ...
 }:
@ -16,43 +15,6 @@ in
    inputs.synix.nixosModules.nginx
  ];

-  services.resolved.enable = false;
-  networking.resolvconf.enable = false;
-
-  networking.nameservers = [ constants.hosts.sid.ip ];
-
-  services.coredns = {
-    enable = true;
-    config = with constants; ''
-      .:53 {
-        bind ${hosts.sid.ip}
-        hosts {
-          ${hosts.rx4.ip} ${services.vaultwarden.fqdn}
-          ${hosts.rx4.ip} ${services.webdav.fqdn}
-          ${hosts.rx4.ip} rx4.tail
-          ${hosts.sid.ip} ${services.netdata.fqdn}
-          ${hosts.sid.ip} sid.tail
-          ${hosts.vde.ip} vde.tail
-          fallthrough
-        }
-        forward . 1.1.1.1
-        cache
-        log
-        errors
-      }
-    '';
-  };
-
-  security.acme = {
-    certs."${constants.intranet}" = {
-      domain = "*.${constants.intranet}";
-      webroot = null;
-      dnsProvider = "hetzner";
-      credentialsFile = config.sops.secrets.hetzner-dns-api-key.path;
-    };
-  };
-  sops.secrets.hetzner-dns-api-key = { };
-
  services.nginx = {
    enable = true;
    openFirewall = true;
@ -73,7 +35,7 @@ in
      port = constants.services.miniflux.port;
    };
    virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost {
-      inherit ssl;
+      ssl = false;
      port = constants.services.netdata.port;
    };
    virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost {
@ -93,16 +55,6 @@ in
      address = constants.hosts.rx4.ip;
      port = constants.services.rsshub-oci.port;
    };
-    virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost {
-      inherit ssl;
-      address = constants.hosts.rx4.ip;
-      port = constants.services.vaultwarden.port;
-    };
-    virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost {
-      inherit ssl;
-      address = constants.hosts.rx4.ip;
-      port = constants.services.webdav.port;
-    };
    # FIXME
    # virtualHosts."print.sid.ovh" = {
    #   enableACME = true;