From 7d113fcddd341f1e4b04ceb2785087d50b8e1556 Mon Sep 17 00:00:00 2001
From: Dmitry Ilvokhin <d@ilvokhin.com>
Date: Sun, 24 Aug 2025 13:31:38 +0100
Subject: Add wireguard configuration to dotfiles role

This is a simple role that works only for one host. There are multiple
complications that I should keep in mind in the future.

* There is should be a way to install dotfiles on boxes without GPG key
  there. So, files with secrets in them should be gated.
* Wireguard configuration should be per host. Each host should have it
  is own private key.
---
 misc/dotfiles/wireguard/onion-dns-up.sh | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100755 misc/dotfiles/wireguard/onion-dns-up.sh

(limited to 'misc/dotfiles/wireguard/onion-dns-up.sh')

diff --git a/misc/dotfiles/wireguard/onion-dns-up.sh b/misc/dotfiles/wireguard/onion-dns-up.sh
new file mode 100755
index 0000000..d8f69b9
--- /dev/null
+++ b/misc/dotfiles/wireguard/onion-dns-up.sh
@@ -0,0 +1,18 @@
+#! /usr/bin/env sh
+
+# macOS as usual has it is own way to do DNS. Even when we set DNS in
+# WireGuard config, onion addresses will not be resolved anyway. Moreover,
+# nslookup (and probably other standard cli utilities will work properly), but
+# Firefox at the same time will not.
+# The only workaround I found it to set `SupplementalMatchDomains` manually
+# with `scutil`. This trick worked for OpenVPN for long time as well.
+
+iface=$1
+dns=$2
+
+scutil <<EOF
+d.init
+d.add ServerAddresses * $dns
+d.add SupplementalMatchDomains * onion
+set State:/Network/Service/$iface/DNS
+EOF
-- 
cgit v1.2.3-70-g09d2