{ config, pkgs, ... }: with pkgs.lib; let generateCoreDNSConfig = domains: let generateForDomain = domain: conf: concatMapStrings (iface: let architectIP = config.architect.networks.${iface}.devices.architect.address; interfaceNet = config.architect.networks.${iface}.net; deviceViews = concatMapStrings ({ name, device }: let deviceIP = device.address; in '' . { view ${name} { expr client_ip() == '${deviceIP}' } forward . tls://45.90.28.77 tls://45.90.30.77 tls://2a07:a8c0::d6:5174 tls://2a07:a8c1::d6:5174 { tls_servername ${name}-d65174.dns.nextdns.io health_check 5s } } '' ) (attrsets.mapAttrsToList (name: device: { inherit name device; }) config.architect.networks.${iface}.devices ); in '' ${domain} { view ${iface} { expr incidr(client_ip(), '${interfaceNet}') } template IN A ${domain} { answer "${domain}. 60 IN A ${architectIP}" } template IN HTTPS ${domain} { answer "${domain}. 60 IN HTTPS 1 . ipv4hint=\"${architectIP}\"" } cache log } ${deviceViews} '' ) conf.dnsInterfaces; in concatStrings (mapAttrsToList generateForDomain domains); allDomains = config.architect.vhost // { "architect.devs.giugl.io" = { dnsInterfaces = [ "lan" "tailscale" ]; }; }; domain = "adguard.giugl.io"; in { architect.vhost.${domain} = with config.architect.networks; { dnsInterfaces = [ "tailscale" "lan" ]; locations."/" = { port = config.services.adguardhome.port; allowLan = true; allow = [ tailscale.net ]; }; }; services.coredns = { enable = true; config = '' ${generateCoreDNSConfig allDomains} . { forward . tls://45.90.28.77 tls://45.90.30.77 tls://2a07:a8c0::d6:5174 tls://2a07:a8c1::d6:5174 { tls_servername architect-d65174.dns.nextdns.io health_check 5s } } ''; }; }