From 1ac3f05e3ebb2a3fd5915ead3707a8a4ad930195 Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Wed, 25 Feb 2026 23:23:49 -0800
Subject: [PATCH] define vpn container hosts within containers too

---
 common/network/pia-vpn/default.nix           | 11 ++++++++++-
 common/network/pia-vpn/service-container.nix |  2 ++
 common/network/pia-vpn/vpn-container.nix     |  2 ++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/common/network/pia-vpn/default.nix b/common/network/pia-vpn/default.nix
index 304503d..4484991 100644
--- a/common/network/pia-vpn/default.nix
+++ b/common/network/pia-vpn/default.nix
@@ -153,6 +153,13 @@ in
       description = "Prefix length derived from subnet CIDR";
       readOnly = true;
     };
+
+    # Shared host entries for all containers (host + VPN + service containers)
+    containerHosts = mkOption {
+      type = types.attrsOf (types.listOf types.str);
+      internal = true;
+      readOnly = true;
+    };
   };
 
   config = mkIf cfg.enable {
@@ -252,10 +259,12 @@ in
     # Host entries for container hostnames — NixOS only auto-creates these for
     # hostAddress/localAddress containers, not hostBridge. Use the standard
     # {name}.containers convention.
-    networking.hosts =
+    pia-vpn.containerHosts =
       { ${cfg.vpnAddress} = [ "pia-vpn.containers" ]; }
       // mapAttrs' (name: ctr: nameValuePair ctr.ip [ "${name}.containers" ]) cfg.containers;
 
+    networking.hosts = cfg.containerHosts;
+
     # PIA login secret
     age.secrets."pia-login.conf".file = ../../../secrets/pia-login.age;
 
diff --git a/common/network/pia-vpn/service-container.nix b/common/network/pia-vpn/service-container.nix
index b2531d4..385477f 100644
--- a/common/network/pia-vpn/service-container.nix
+++ b/common/network/pia-vpn/service-container.nix
@@ -42,6 +42,8 @@ let
         };
       };
 
+      networking.hosts = cfg.containerHosts;
+
       # DNS through VPN container (queries go through WG tunnel = no DNS leak)
       networking.nameservers = [ cfg.vpnAddress ];
 
diff --git a/common/network/pia-vpn/vpn-container.nix b/common/network/pia-vpn/vpn-container.nix
index 9cf5858..091d32f 100644
--- a/common/network/pia-vpn/vpn-container.nix
+++ b/common/network/pia-vpn/vpn-container.nix
@@ -73,6 +73,8 @@ in
         {
           imports = allModules;
 
+          networking.hosts = cfg.containerHosts;
+
           # Static IP on bridge — no gateway (VPN container routes via WG only)
           networking.useNetworkd = true;
           systemd.network.enable = true;