tailscale: fix broken DNS on IPv6 only tailnets

[nolith]

When a tailnet has the disableIPv4 settings it will not deploy IPv4, resolving any ts.net address is broken because 100.100.100.100 is not reachable.

fd7a:115c:a1e0::53 is the magic dns address for IPv6 tailnets.

https://tailscale.com/kb/1337/acl-syntax#disableipv4

[Samasaur1]

oops i screwed up that review a little. anyway that's a minor nit and this otherwise looks good. I grepped for 100.100.100.100 and the only other matches were in comments

[Samasaur1]

ack it won't let me leave an inline comment on an unchanged part of the file, but the comment on line 36 should be updated as well:

nix-darwin/modules/services/tailscale.nix

Line 36 in 71a3a07

As this option sets 100.100.100.100 as your sole DNS server, if the requirements above are not met,

[nolith]

Thank you all, I made all the suggested edit.

I'll test it tomorrow on my other machine that is using this option.

[Enzime]

Suggested change

	assertion = cfg.overrideLocalDns -> (builtins.elem config.networking.dns "100.100.100.100" || builtins.elem config.networking.dns "fd7a:115c:a1e0::53");
	assertion = cfg.overrideLocalDns -> (builtins.any (x: x != "100.100.100.100" && x != "fd7a:115c:a1e0::53") config.networking.dns);

[nolith]

Hello, I'm not an expert of nix but I don't think this suggestion has the same behaviour of the existing implementation.

The original implementation was !cfg.overrideLocalDns || config.networking.dns == [ "100.100.100.100" ] and we are swapping it with an arrow operator.

b1 -> b2 == !b1 || b2

nix-repl> networking_dns = [ "100.100.100.100" "fd7a:115c:a1e0::53" ]
nix-repl> networking_dns ==  [ "100.100.100.100" "fd7a:115c:a1e0::53" ]
true

nix-repl> builtins.elem "100.100.100.100" networking_dns || builtins.elem "fd7a:115c:a1e0::53" networking_dns
true

nix-repl> builtins.any (x: x != "100.100.100.100" && x != "fd7a:115c:a1e0::53") networking_dns
false

nix-repl> builtins.elem "100.100.100.100" networking_dns && builtins.elem "fd7a:115c:a1e0::53" networking_dns
true

nix-repl> builtins.any (x: x != "100.100.100.100" || x != "fd7a:115c:a1e0::53") networking_dns
true

[Enzime]

x != 5 || x != 6 is always true

The original condition we’re looking to verify is that at least one element in the list is neither 100.100.100.100 nor fd7a:115c:a1e0::53 so we want to use &&

[nolith]

x != 5 || x != 6 is always true

🤦

The original condition we’re looking to verify is that at least one element in the list is neither 100.100.100.100 nor fd7a:115c:a1e0::53 so we want to use &&

But this is not what the original condition was doing !cfg.overrideLocalDns || config.networking.dns == [ "100.100.100.100" ].

If we analyse cfg.overrideLocalDns -> (builtins.any (x: x != "100.100.100.100" && x != "fd7a:115c:a1e0::53") config.networking.dns):

• when cfg.overrideLocalDns == false the assertion returns true - same as before
• when cfg.overrideLocalDns == true we return the result of (builtins.any (x: x != "100.100.100.100" && x != "fd7a:115c:a1e0::53") config.networking.dns), but this is checking a different condition compared to config.networking.dns == [ "100.100.100.100" ]. When using magicDNS you want to set a global nameserver in the admin panel, not adding another nameserver to /etc/resolv.conf. I think the original intention of that assertion was to make sure you are not adding an extra nameserver that may result in unexpected results depending on which server is selected for the resolution.