From 486d719d52f15b0df4bda500fe4799baf4b2d406 Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Sat, 9 Dec 2023 17:59:44 +0100
Subject: [PATCH 1/5] Server/dns: enable and configure dnsmasq

---
 roles/server/default.nix |  1 +
 roles/server/dns.nix     | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 roles/server/dns.nix

diff --git a/roles/server/default.nix b/roles/server/default.nix
index af9c11a..5d6a6b8 100755
--- a/roles/server/default.nix
+++ b/roles/server/default.nix
@@ -15,5 +15,6 @@
 		./tailscale.nix
 		./traefik.nix
 		./minecraft.nix
+		./dns.nix
 	];
 }
diff --git a/roles/server/dns.nix b/roles/server/dns.nix
new file mode 100644
index 0000000..c5915d2
--- /dev/null
+++ b/roles/server/dns.nix
@@ -0,0 +1,40 @@
+{ ... }:
+
+{
+  services.dnsmasq = {
+    enable = true;
+    
+    # Only using this for tailscale IPs, so better to let tailscale itself deal with it
+    resolveLocalQueries = false;
+    
+    settings = {
+      listen-address = [ "100.73.96.48" ];
+      
+      /*
+      Dnsmasq tries to use the tailscale dns server, which is bad cause that points to dnsmasq
+      From the little testing I have done it seems to not cause any issues, but better to be safe
+      than sorry :P
+      */
+      dns-loop-detect = true;
+      ## IPv6 is not a thing in Spain so I'm guaranteed to not use it
+      filter-AAAA = true;
+      expand-hosts = true;
+      domain = "sable-pancake.ts.net";
+      domain-needed = true;
+    };
+  };
+
+  # Add tailscale hosts
+  networking.hosts = {
+    "100.73.96.48" = [ "everest" ];
+    "100.113.139.93" = [ "archie" ];
+    "100.85.48.85" = [ "steamdeck" ];
+    "100.96.92.13" = [ "surfecego" ];
+  };
+
+  # Dnsmasq conflicts with the resolved dns stub listener
+  services.resolved.extraConfig = ''
+    [Resolve]
+    DNSStubListener=no
+  '';
+}

From 3e4b9056f427c9580342659fbad941bbae6c8433 Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Sat, 9 Dec 2023 18:31:08 +0100
Subject: [PATCH 2/5] Server/traefik: only enable web ui in specialisation

---
 roles/server/traefik.nix | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/roles/server/traefik.nix b/roles/server/traefik.nix
index c2b9442..380d4b2 100644
--- a/roles/server/traefik.nix
+++ b/roles/server/traefik.nix
@@ -1,12 +1,19 @@
 { config, ... }:
 
 {
+	specialisation.traefikEnableWebUI.configuration.services.traefik = {
+		staticConfigOptions = {
+			api = {
+				# Enable the web ui
+				insecure = true;
+				dashboard = true;
+			};
+		};
+	};
+	
 	services.traefik = {
 		enable = true;
 		staticConfigOptions = {
-			# Enable the web ui
-			api.insecure = true;
-			api.dashboard = true;
 			entryPoints = {
 				http = { address = ":80"; };
 			};

From 78d3ac4d4ebc516d7829b28e6119884fc49804d7 Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Sat, 9 Dec 2023 18:39:45 +0100
Subject: [PATCH 3/5] Server/traefik: set http entrypoint address to the
 tailscale IP

---
 roles/server/traefik.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/server/traefik.nix b/roles/server/traefik.nix
index 380d4b2..214827a 100644
--- a/roles/server/traefik.nix
+++ b/roles/server/traefik.nix
@@ -15,7 +15,7 @@
 		enable = true;
 		staticConfigOptions = {
 			entryPoints = {
-				http = { address = ":80"; };
+				http = { address = "100.73.96.48:80"; };
 			};
 		};
 	};

From 5a52fd9f3a50a6a7c73b7fa8b2df7b440f2aea4a Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Sat, 9 Dec 2023 19:38:21 +0100
Subject: [PATCH 4/5] Server/dns: localise queries

---
 roles/server/dns.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/server/dns.nix b/roles/server/dns.nix
index c5915d2..d50e8ea 100644
--- a/roles/server/dns.nix
+++ b/roles/server/dns.nix
@@ -16,6 +16,9 @@
       than sorry :P
       */
       dns-loop-detect = true;
+      
+      # If this isn't set a cname that targets a host might return the wrong ip
+      localise-queries = true;
       ## IPv6 is not a thing in Spain so I'm guaranteed to not use it
       filter-AAAA = true;
       expand-hosts = true;

From 1a84aa229061c74661efc6d50955c0ab7dd41ba3 Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Sun, 10 Dec 2023 18:12:27 +0100
Subject: [PATCH 5/5] Server: move services to subdomains

---
 roles/server/gitea.nix        | 16 ++++++----------
 roles/server/syncthing.nix    | 14 +++++---------
 roles/server/transmission.nix |  9 ++++++---
 3 files changed, 17 insertions(+), 22 deletions(-)

diff --git a/roles/server/gitea.nix b/roles/server/gitea.nix
index 6cbac30..662da91 100644
--- a/roles/server/gitea.nix
+++ b/roles/server/gitea.nix
@@ -9,31 +9,27 @@
 			server = {
 				#server.SSH_PORT = 69;
 				DISABLE_REGISTRATION = lib.mkDefault true;
-				ROOT_URL = "http://everest/gitea/";
+				ROOT_URL = "http://git.everest.sable-pancake.ts.net";
 			};
 		};
 	};
+
+	# Add a cname for gitea
+	services.dnsmasq.settings.cname = [ "git.everest.sable-pancake.ts.net,everest" ];
+
 	# Set up traefik as the reverse proxy for Gitea
 	services.traefik = {
 		dynamicConfigOptions = {
 			http = {
 				routers = {
-					/*
-					Gitea works best as a subdomain, but I do not have a dns server (yet),
-					and since tailscale doesn't support adding subdomains with MagicDNS I'll
-					just put it in a subpath for now
-					*/
 					gitea-subpath = {
-						middlewares = [ "gitea-strip-prefix" ];
-						rule = "PathPrefix(`/gitea`)";
+						rule = "Host(`git.everest.sable-pancake.ts.net`)";
 						service = "gitea";
 					};
 				};
 				services.gitea.loadBalancer.servers = [
 					{ url = "http://localhost:${toString config.services.gitea.settings.server.HTTP_PORT}"; }
 				];
-				# Gitea freaks out if you don't remove the subpath it's being proxied from
-				middlewares.gitea-strip-prefix.stripprefix.prefixes = "/gitea";
 			};
 		};
 	};
diff --git a/roles/server/syncthing.nix b/roles/server/syncthing.nix
index 489324d..c533cf4 100755
--- a/roles/server/syncthing.nix
+++ b/roles/server/syncthing.nix
@@ -34,26 +34,22 @@
 		AmbientCapabilities = "CAP_CHOWN CAP_FOWNER";
 	};
 
+	# Add a cname for syncthing
+	services.dnsmasq.settings.cname = [ "sync.everest.sable-pancake.ts.net,everest" ];
+
 	# Set up traefik as the reverse proxy for syncthing
 	services.traefik = {
 		dynamicConfigOptions = {
 			http = {
 				routers = {
-					syncthing-subpath = {
-						middlewares = [ "syncthing-add-trailing-slash" "syncthing-strip-prefix" ];
-						rule = "PathPrefix(`/syncthing`)";
+					syncthing-subdomain = {
+						rule = "Host(`sync.everest.sable-pancake.ts.net`)";
 						service = "syncthing";
 					};
 				};
 				services.syncthing.loadBalancer.servers = [
 					{ url = "http://localhost:8384"; }
 				];
-				middlewares.syncthing-strip-prefix.stripprefix.prefixes = "/syncthing";
-				middlewares.syncthing-add-trailing-slash.redirectRegex = {
-					# Going to everest/syncthing without a slash at the end breaks things
-					regex = "http:\/\/everest\/syncthing+$";
-					replacement = "http://everest/syncthing/";
-				};
 			};
 		};
 	};
diff --git a/roles/server/transmission.nix b/roles/server/transmission.nix
index 767981e..ed17095 100755
--- a/roles/server/transmission.nix
+++ b/roles/server/transmission.nix
@@ -7,18 +7,21 @@
 		settings = {
 			incomplete-dir-enabled = false;
 			rpc-bind-address = "0.0.0.0";
-			rpc-host-whitelist = "everest";
+			rpc-host-whitelist = "transmission.everest.sable-pancake.ts.net";
 			rpc-whitelist = "127.0.0.1";
 		};
 	};
 
+	# Add a cname for transmission
+	services.dnsmasq.settings.cname = [ "transmission.everest.sable-pancake.ts.net,everest" ];
+
 	# Set up traefik as the reverse proxy for transmission
 	services.traefik = {
 		dynamicConfigOptions = {
 			http = {
 				routers = {
-					transmission-subpath = {
-						rule = "PathPrefix(`/transmission`)";
+					transmission-subdomain = {
+						rule = "Host(`transmission.everest.sable-pancake.ts.net`)";
 						service = "transmission";
 					};
 				};