define vpn container hosts within containers too

common/network/pia-vpn/default.nix

@@ -153,6 +153,13 @@ in
       description = "Prefix length derived from subnet CIDR";
       readOnly = true;
     };
+
+    # Shared host entries for all containers (host + VPN + service containers)
+    containerHosts = mkOption {
+      type = types.attrsOf (types.listOf types.str);
+      internal = true;
+      readOnly = true;
+    };
   };
 
   config = mkIf cfg.enable {
@@ -252,10 +259,12 @@ in
     # Host entries for container hostnames — NixOS only auto-creates these for
     # hostAddress/localAddress containers, not hostBridge. Use the standard
     # {name}.containers convention.
-    networking.hosts =
+    pia-vpn.containerHosts =
       { ${cfg.vpnAddress} = [ "pia-vpn.containers" ]; }
       // mapAttrs' (name: ctr: nameValuePair ctr.ip [ "${name}.containers" ]) cfg.containers;
 
+    networking.hosts = cfg.containerHosts;
+
     # PIA login secret
     age.secrets."pia-login.conf".file = ../../../secrets/pia-login.age;
 

common/network/pia-vpn/service-container.nix

@@ -42,6 +42,8 @@ let
         };
       };
 
+      networking.hosts = cfg.containerHosts;
+
       # DNS through VPN container (queries go through WG tunnel = no DNS leak)
       networking.nameservers = [ cfg.vpnAddress ];
 

common/network/pia-vpn/vpn-container.nix

@@ -73,6 +73,8 @@ in
         {
           imports = allModules;
 
+          networking.hosts = cfg.containerHosts;
+
           # Static IP on bridge — no gateway (VPN container routes via WG only)
           networking.useNetworkd = true;
           systemd.network.enable = true;