From 57d897ac82e4eb5c964a3682a190096010ec94ca Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Mon, 19 Jun 2023 12:28:33 +0800
Subject: [PATCH] hosts/ni: update personal VPN config

---
 hosts/ni/default.nix | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/hosts/ni/default.nix b/hosts/ni/default.nix
index 60a75149..b9f3ea76 100644
--- a/hosts/ni/default.nix
+++ b/hosts/ni/default.nix
@@ -223,6 +223,12 @@ in
     };
   };
 
+  services.resolved.domains = [
+    "~plover.foodogsquared.one"
+    "~0.27.172.in-addr.arpa"
+    "~0.28.172.in-addr.arpa"
+  ];
+
   system.stateVersion = "23.05"; # Yes! I read the comment!
 
   # Setting up Wireguard as a VPN tunnel. Since this is a laptop that meant to
@@ -236,18 +242,20 @@ in
       domains = [
         "~plover.foodogsquared.one"
         "~0.27.172.in-addr.arpa"
+        "~0.28.172.in-addr.arpa"
       ];
     in
     {
       privateKeyFile = config.sops.secrets."ni/wireguard/private-key".path;
       listenPort = wireguardPort;
-      dns = with wireguardPeers.server; [ IPv4 IPv6 ];
+      dns = with interfaces.internal; [ IPv4.address IPv6.address ];
       postUp =
         let
           resolvectl = "${lib.getBin pkgs.systemd}/bin/resolvectl";
         in
         ''
-          ${resolvectl} domain %i ${lib.concatStringsSep " " domains}
+          ${resolvectl} domain ${wireguardIFName} ${lib.concatStringsSep " " domains}
+          ${resolvectl} dnssec ${wireguardIFName} no
         '';
 
       address = with wireguardPeers.desktop; [