| 16 Dec 2025 |
 Sandro 🐧 | FYI https://github.com/NixOS/nixpkgs/pull/468790 | 23:45:40 |
| 17 Dec 2025 |
|  mall0c joined the room. | 20:37:22 |
 Marcus | What's the right way to configure the nixos firewall with ipv6 so it allows internet connections from the trusted interfaces, but doesn't forward connections from the wan? Seems I can ssh straight into my lan interface from the internet if filterForward is off, but can't ssh out of my lan if it's on. | 21:43:40 |
| Marcus | hrm, I guess this is because filterforward uses externalInterface, but my ipv6 is routed through a HE tunnel rather than the wan interface. | 22:05:01 |
| Marcus | yeah, filterforward even uses config from nat, so I guess it doesn't like non-natted ipv6 well. Fixed it with a extra ruleset for the HE tunnel. | 22:15:33 |
| 18 Dec 2025 |
 n4ch723hr3r (putting stuff in your name is cringe) | i have a dns server which for a machine name returns the VPN IP. however systemd only allows interface specific DNS lookups for a TLD. so my plan was to redirect $HOST.local for example to that DNS server. however the DNS server would return NXDOMAIN since it wants $HOST ONLY.
so the question: how could i edit that DNS query. through a local dns proxy?
graphically:
client ---- $HOST.local ---> proxy ---- $HOST -----> DNS server
| 07:53:25 |
|  Acid Bong joined the room. | 07:58:50 |
 K900 | Uhh what | 08:03:52 |
| K900 | What do you even mean by "only allows lookups for a TLD" | 08:04:04 |
|  Dieselgert Baghetto joined the room. | 08:39:11 |
| n4ch723hr3r (putting stuff in your name is cringe) | you define multiple DNS servers in resolved with the option to for example only use 1.1.1.1 for .local domains | 09:39:32 |
| K900 | ...and? | 09:39:45 |
| K900 | It can be any prefix | 09:39:47 |
| K900 | Not just a TLD | 09:39:49 |
| n4ch723hr3r (putting stuff in your name is cringe) | yeah but the dns is just the hostname (which in my case are alphanumeric chars) | 09:56:48 |
| n4ch723hr3r (putting stuff in your name is cringe) | so the dns does NOT work with something like dig myhost.local @myserver. instead you have to do dig myhost @myserver | 09:57:53 |
| K900 | You should use a separate domain name (possibly under arpa.home if you don't have a public one) and then set the search domain instead | 09:58:08 |
| K900 | So the canonical names for your hosts are foo.n4ch723hr3r.home.arpa or whatever | 09:58:36 |
| n4ch723hr3r (putting stuff in your name is cringe) | yes but the nebula DNS server does not have the functionality for that | 09:58:38 |
| K900 | And your search domain is n4ch723hr3r.home.arpa | 09:58:42 |
 magic_rb | Thats a nebula bug then | 09:59:03 |
| n4ch723hr3r (putting stuff in your name is cringe) | i need a reverse proxy but for DNS | 09:59:05 |
| n4ch723hr3r (putting stuff in your name is cringe) | its experimental | 09:59:11 |
| magic_rb | You need to put your local dns under a tld | 09:59:18 |
| n4ch723hr3r (putting stuff in your name is cringe) | how? | 09:59:27 |
| magic_rb | By fixing the nebula dns server | 09:59:36 |
| magic_rb | How would a rproxy help? | 09:59:43 |
| n4ch723hr3r (putting stuff in your name is cringe) | i cant do that. nebula DNS doesnt have that feature | 10:00:10 |
| n4ch723hr3r (putting stuff in your name is cringe) | https://nebula.defined.net/docs/guides/using-lighthouse-dns/ | 10:00:12 |
| K900 | I think they want a rewriting DNS resolver that will automagically rewrite foo.n4ch723hr3r.home.arpa or whatever to just foo and then forward that to the Nebula nameserver | 10:00:15 |
