feat: try rework

intermediate/dns.nix

@@ -0,0 +1,49 @@
+let
+  lib = import <nixpkgs/lib>;
+  net = import ../config/network.nix;
+  end = import ../config/endpoints.nix;
+  endpointValidation = import ../validation/endpoints.nix;
+  networkDevicesValidation = import ../validation/network_devices.nix;
+
+  localDomain =
+    if net ? local_domain && builtins.isString net.local_domain && net.local_domain != "" then
+      net.local_domain
+    else
+      throw "config/network.nix must define local_domain as a non-empty string.";
+
+  localIngressIp =
+    if net ? devices && builtins.isAttrs net.devices && net.devices ? self && net.devices.self ? ip && builtins.isString net.devices.self.ip then
+      net.devices.self.ip
+    else
+      throw "config/network.nix must define devices.self.ip as local ingress IP for local endpoint DNS mapping.";
+
+  endpoints = endpointValidation.validateEndpointsShape end;
+  devices = networkDevicesValidation.getDevices net;
+  localDevices = networkDevicesValidation.getLocalDevices devices;
+
+  matchesLocalDomain = domain:
+    domain == localDomain || lib.hasSuffix ".${localDomain}" domain;
+
+  deviceMappings = builtins.listToAttrs (lib.mapAttrsToList (name: device: {
+    name = "${name}.${localDomain}";
+    value = device.ip;
+  }) localDevices);
+
+  localEndpointDomains = lib.unique (map (endpoint: endpoint.domain) (lib.filter (endpoint: matchesLocalDomain endpoint.domain) endpoints));
+  endpointMappings = builtins.listToAttrs (map (domain: {
+    name = domain;
+    value = localIngressIp;
+  }) localEndpointDomains);
+
+  mergedMappings = deviceMappings // endpointMappings;
+
+  _localEndpointConflicts = map (domain:
+    if deviceMappings ? ${domain} && deviceMappings.${domain} != endpointMappings.${domain} then
+      throw "DNS mapping conflict for '${domain}' between device-derived and endpoint-derived values."
+    else
+      null
+  ) (builtins.attrNames endpointMappings);
+in
+rec {
+  dnsMappings = mergedMappings;
+}