From 94249e7bcbfed6a04baa01972661bd1901a95f68 Mon Sep 17 00:00:00 2001
From: Joshua Bell <abc@joshuabell.xyz>
Date: Mon, 9 Feb 2026 13:19:31 -0600
Subject: [PATCH 1/2] Move tailnet.nix to tailnet/default.nix and add h001_dns
 module

---
 .../{tailnet.nix => tailnet/default.nix}      |  8 ++++++
 .../common/nix_modules/tailnet/h001_dns.nix   | 27 +++++++++++++++++++
 2 files changed, 35 insertions(+)
 rename flakes/common/nix_modules/{tailnet.nix => tailnet/default.nix} (76%)
 create mode 100644 flakes/common/nix_modules/tailnet/h001_dns.nix

diff --git a/flakes/common/nix_modules/tailnet.nix b/flakes/common/nix_modules/tailnet/default.nix
similarity index 76%
rename from flakes/common/nix_modules/tailnet.nix
rename to flakes/common/nix_modules/tailnet/default.nix
index bcc151e4..da0260e7 100644
--- a/flakes/common/nix_modules/tailnet.nix
+++ b/flakes/common/nix_modules/tailnet/default.nix
@@ -11,11 +11,19 @@ let
       secrets = config.age.secrets or { };
     in
     secrets ? ${secret} && secrets.${secret} != null;
+
+  # Shared DNS records for h001 services - used for /etc/hosts fallback
+  h001Dns = import ./h001_dns.nix;
 in
 {
   environment.systemPackages = with pkgs; [ tailscale ];
   boot.kernelModules = [ "tun" ];
 
+  # Add /etc/hosts entries for h001 services as fallback for headscale DNS
+  networking.hosts = {
+    "${h001Dns.ip}" = map (name: "${name}.${h001Dns.baseDomain}") h001Dns.subdomains;
+  };
+
   services.tailscale = {
     enable = true;
     openFirewall = true;
diff --git a/flakes/common/nix_modules/tailnet/h001_dns.nix b/flakes/common/nix_modules/tailnet/h001_dns.nix
new file mode 100644
index 00000000..69fd205d
--- /dev/null
+++ b/flakes/common/nix_modules/tailnet/h001_dns.nix
@@ -0,0 +1,27 @@
+# Shared DNS records for h001 services
+# Used by headscale for DNS splitting and by other hosts for /etc/hosts fallback
+{
+  # h001's tailscale IP
+  ip = "100.64.0.13";
+
+  # List of subdomain names that point to h001
+  subdomains = [
+    "jellyfin"
+    "media"
+    "notes"
+    "chat"
+    "sso-proxy"
+    "n8n"
+    "sec"
+    "sso"
+    "gist"
+    "git"
+    "blog"
+    "etebase"
+    "photos"
+    "location"
+  ];
+
+  # Base domain
+  baseDomain = "joshuabell.xyz";
+}

From 9d03d2c4e891d9ab60d29c71f85f083007d53865 Mon Sep 17 00:00:00 2001
From: Joshua Bell <abc@joshuabell.xyz>
Date: Mon, 9 Feb 2026 13:20:31 -0600
Subject: [PATCH 2/2] update to latest common with dns list

---
 hosts/linode/l001/flake.lock    |  8 +++----
 hosts/linode/l001/headscale.nix | 42 +++++++--------------------------
 hosts/lio/flake.lock            |  8 +++----
 3 files changed, 16 insertions(+), 42 deletions(-)

diff --git a/hosts/linode/l001/flake.lock b/hosts/linode/l001/flake.lock
index 1493a078..e855cd52 100644
--- a/hosts/linode/l001/flake.lock
+++ b/hosts/linode/l001/flake.lock
@@ -3,11 +3,11 @@
     "common": {
       "locked": {
         "dir": "flakes/common",
-        "lastModified": 1766036507,
-        "narHash": "sha256-ZFJjJVkWlefIhsJ2vHniBnqqnTCa9qGW3pQOXUU4X1I=",
+        "lastModified": 1770664771,
+        "narHash": "sha256-8X1QU1bmy0hQe2PnpVcg1trna4BO+bpTpC79mWsz1rY=",
         "ref": "refs/heads/master",
-        "rev": "fca1bd9d8f4d7e345b373f69c9d2b40d9fa33f59",
-        "revCount": 952,
+        "rev": "94249e7bcbfed6a04baa01972661bd1901a95f68",
+        "revCount": 1248,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
diff --git a/hosts/linode/l001/headscale.nix b/hosts/linode/l001/headscale.nix
index ce31d5b6..58a1e269 100644
--- a/hosts/linode/l001/headscale.nix
+++ b/hosts/linode/l001/headscale.nix
@@ -1,4 +1,7 @@
 { pkgs, ... }:
+let
+  h001Dns = import ../../../flakes/common/nix_modules/tailnet/h001_dns.nix;
+in
 {
   config = {
     # TODO backup /var/lib/headscale data
@@ -17,40 +20,11 @@
           magic_dns = true;
           base_domain = "net.joshuabell.xyz";
           override_local_dns = false;
-          # nameservers.global = [
-          #   "1.1.1.1"
-          #   "1.0.0.1"
-          #   "8.8.8.8"
-          #   "8.8.4.4"
-          #   "9.9.9.9"
-          #   "9.9.9.10"
-          # ];
-          extra_records =
-            let
-              # DNS splitting at the tailscale network level. We intercept these domains
-              # when connected to tailscale and skip my global/internet facing DNS proxy
-              h001ARecord = name: {
-                type = "A";
-                name = "${name}.joshuabell.xyz";
-                value = "100.64.0.13";
-              };
-            in
-            [
-              (h001ARecord "jellyfin")
-              (h001ARecord "media")
-              (h001ARecord "notes")
-              (h001ARecord "chat")
-              (h001ARecord "sso-proxy")
-              (h001ARecord "n8n")
-              (h001ARecord "sec")
-              (h001ARecord "sso")
-              (h001ARecord "gist")
-              (h001ARecord "git")
-              (h001ARecord "blog")
-              (h001ARecord "etebase")
-              (h001ARecord "photos")
-              (h001ARecord "location")
-            ];
+          extra_records = map (name: {
+            type = "A";
+            name = "${name}.${h001Dns.baseDomain}";
+            value = h001Dns.ip;
+          }) h001Dns.subdomains;
         };
       };
     };
diff --git a/hosts/lio/flake.lock b/hosts/lio/flake.lock
index 792decf3..2e3220fe 100644
--- a/hosts/lio/flake.lock
+++ b/hosts/lio/flake.lock
@@ -64,11 +64,11 @@
     "common": {
       "locked": {
         "dir": "flakes/common",
-        "lastModified": 1770613864,
-        "narHash": "sha256-Wn/dJdzToNfAqrZp1oRbXTvcF88UUCYkfOBPLsHpHNY=",
+        "lastModified": 1770664771,
+        "narHash": "sha256-8X1QU1bmy0hQe2PnpVcg1trna4BO+bpTpC79mWsz1rY=",
         "ref": "refs/heads/master",
-        "rev": "9e5e3cd4fa9ddae4ede2ba6c83f3c734a33f27b4",
-        "revCount": 1240,
+        "rev": "94249e7bcbfed6a04baa01972661bd1901a95f68",
+        "revCount": 1248,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },