ewancroft.uk / nix
My nix-darwin and NixOS config
3
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix(network): wait for network-online.target before caddy and coredns

Both services bind to the Tailscale IP, which isn't available until
the tailscale0 interface is fully up. Adding network-online.target to
after/wants ensures the bind address exists before either service starts.

Also adds explicit restart config to coredns (on-failure, 10s backoff)
so it recovers gracefully if it does lose the race on a slow boot.

Ewan Croft de64ba89 df848848

+25 -4
+9 -4
modules/server/infra/network/caddy.nix
··· 41 41 Restart = lib.mkForce "always"; 42 42 RestartSec = lib.mkDefault "5s"; 43 43 }; 44 - # Ensure the ACME wildcard cert exists before Caddy starts, 45 - # and that Tailscaled is up so the bind address exists. 46 - after = [ "tailscaled.service" ] ++ lib.optional hasTailnet "acme-ewancroft.uk.service"; 47 - wants = lib.optional hasTailnet "acme-ewancroft.uk.service"; 44 + # Ensure the ACME wildcard cert exists before Caddy starts, that 45 + # Tailscaled is up, and that network-online.target has been reached so 46 + # the Tailscale interface (and its bind address) actually exists. 47 + after = [ 48 + "tailscaled.service" 49 + "network-online.target" 50 + ] 51 + ++ lib.optional hasTailnet "acme-ewancroft.uk.service"; 52 + wants = [ "network-online.target" ] ++ lib.optional hasTailnet "acme-ewancroft.uk.service"; 48 53 }; 49 54 50 55 # ── ACME wildcard cert for tailnet vhosts ─────────────────────────────────
+16
modules/server/infra/network/split-dns.nix
··· 70 70 ''; 71 71 }; 72 72 73 + # CoreDNS systemd ordering and restart config. 74 + # Bind address is the Tailscale IP, so we must wait for both tailscaled 75 + # and network-online.target before starting. RestartSec gives Tailscale 76 + # enough time to bring up the interface before CoreDNS retries. 77 + systemd.services.coredns = { 78 + after = [ 79 + "tailscaled.service" 80 + "network-online.target" 81 + ]; 82 + wants = [ "network-online.target" ]; 83 + serviceConfig = { 84 + Restart = lib.mkForce "on-failure"; 85 + RestartSec = lib.mkDefault "10s"; 86 + }; 87 + }; 88 + 73 89 # Allow DNS from tailnet devices on the Tailscale interface only. 74 90 # Port 53 is NOT added to the global allowedTCPPorts/allowedUDPPorts, 75 91 # so it remains inaccessible from the public internet.