fix: use configured domain in CoreDNS Corefile generation

Two bugs caused DNS to fail when the domain name changes: 1. generate_corefile() hardcoded 'cell' as the zone name instead of using the configured domain — on startup it would silently reset any domain change back to 'cell' 2. apply_domain() regex replaced ALL non-dot zones (including local.cell) with the new domain → duplicate zone blocks → CoreDNS crash Fix: add a domain parameter to generate_corefile/apply_all_dns_rules, add _configured_domain() helper in app.py, and delegate Corefile updates in apply_domain() to generate_corefile() so the logic is in one place. Also parameterise SERVICE_HOSTS ACL entries via the domain argument. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-22 15:32:23 -04:00
parent e74d5e0504
commit 50671f71cb
4 changed files with 41 additions and 50 deletions
@@ -188,11 +188,15 @@ cell_link_manager = CellLinkManager(
 )

 # Apply firewall + DNS rules from stored peer settings (survives API restarts)
+def _configured_domain() -> str:
+    return config_manager.configs.get('_identity', {}).get('domain', 'cell')
+
+
 def _apply_startup_enforcement():
    try:
        peers = peer_registry.list_peers()
        firewall_manager.apply_all_peer_rules(peers)
-        firewall_manager.apply_all_dns_rules(peers, COREFILE_PATH)
+        firewall_manager.apply_all_dns_rules(peers, COREFILE_PATH, _configured_domain())
        logger.info(f"Applied enforcement rules for {len(peers)} peers on startup")
    except Exception as e:
        logger.warning(f"Startup enforcement failed (non-fatal): {e}")
@@ -1387,7 +1391,7 @@ def apply_wireguard_enforcement():
    try:
        peers = peer_registry.list_peers()
        firewall_manager.apply_all_peer_rules(peers)
-        firewall_manager.apply_all_dns_rules(peers, COREFILE_PATH)
+        firewall_manager.apply_all_dns_rules(peers, COREFILE_PATH, _configured_domain())
        return jsonify({'ok': True, 'peers': len(peers)})
    except Exception as e:
        return jsonify({'error': str(e)}), 500
@@ -1528,7 +1532,7 @@ def add_peer():
        if success:
            # Apply server-side enforcement immediately
            firewall_manager.apply_peer_rules(peer_info['ip'], peer_info)
-            firewall_manager.apply_all_dns_rules(peer_registry.list_peers(), COREFILE_PATH)
+            firewall_manager.apply_all_dns_rules(peer_registry.list_peers(), COREFILE_PATH, _configured_domain())
            return jsonify({"message": f"Peer {data['name']} added successfully", "ip": assigned_ip}), 201
        else:
            return jsonify({"error": f"Peer {data['name']} already exists"}), 400
@@ -1564,7 +1568,7 @@ def update_peer(peer_name):
            updated_peer = peer_registry.get_peer(peer_name)
            if updated_peer:
                firewall_manager.apply_peer_rules(updated_peer['ip'], updated_peer)
-                firewall_manager.apply_all_dns_rules(peer_registry.list_peers(), COREFILE_PATH)
+                firewall_manager.apply_all_dns_rules(peer_registry.list_peers(), COREFILE_PATH, _configured_domain())
            result = {"message": f"Peer {peer_name} updated", "config_changed": config_changed}
            return jsonify(result)
        else: