feat: NAT hairpinning, DNS static servers, clear service error on install

- Add POSTROUTING MASQUERADE rules for container and host hairpin NAT - Allow bridge subnet containers to reach private forwards via LAN IPs - Pass bridge_subnet env var from forward.rs to forward-port script - Use DB-configured static DNS servers in resolver with DB watcher - Fall back to resolv.conf servers when no static servers configured - Clear service error state when install/update completes successfully - Remove completed TODO items
2026-03-30 12:11:56 +00:00 · 2026-02-19 15:27:52 -07:00
parent 5a292e6e2a
commit 4527046f2e
6 changed files with 146 additions and 76 deletions
--- a/docs/TODO.md
+++ b/docs/TODO.md
@@ -52,24 +52,11 @@ Pending tasks for AI agents. Remove items when completed.
  service is ready, then clear it if it matches. This allows tasks to be created regardless of
  whether the service is currently running.

- [ ] Clear service error state on fresh install/update - @dr-bonez
-
-  Fresh installs and updates should clear any existing service error state.
-
 - [ ] Implement URL plugins - @dr-bonez

  **Goal**: Add a plugin system that allows services to register URL scheme plugins, providing
  additional ways for other services to connect to them (e.g. alternative protocols or transports).

- [ ] Fix NAT hairpinning for LAN port forwarding - @dr-bonez
-
-  **Problem**: When a container accesses a service via a forwarded port on the host, the return
-  traffic doesn't route correctly due to missing NAT hairpin rules. This causes container-to-host
-  port forward connections to fail.
-
-  **Goal**: Add masquerade/SNAT rules so containers can reach services through the host's forwarded
-  ports.
-
 - [ ] OTA updates for start-tunnel - @dr-bonez

  **Goal**: Add an OTA update mechanism for the start-tunnel server so it can be updated in place