# Fix: Tailscale Health Warnings on CachyOS (Arch) with KDE Plasma

## Environment
- OS: CachyOS (Arch-based), kernel 6.19.7-1-cachyos
- DE: KDE Plasma 6 (Wayland)
- Tailscale: 1.94.2

## Problem

`tailscale status` showed two health warnings:

```
# Health check:
#     - systemd-resolved and NetworkManager are wired together incorrectly; MagicDNS will probably not work.
#     - Some peers are advertising routes but --accept-routes is false
```

## Diagnosis

### Issue 1: Accept Routes
Peers (pfSense, NAS) were advertising subnet routes but the machine wasn't accepting them:
```bash
tailscale status --json | python3 -c "
import json,sys
d=json.load(sys.stdin)
for k,v in d.get('Peer',{}).items():
    routes = v.get('PrimaryRoutes', [])
    if routes:
        print(f\"{v['HostName']}: {routes}\")
"
# Output: pfSense: ['172.16.0.0/22'], D2TESTNAS: ['192.168.0.0/24']
```

### Issue 2: DNS Wiring
```bash
resolvectl status
# resolv.conf mode: foreign   <-- WRONG, should be "stub"

ls -la /etc/resolv.conf
# -rw-r--r-- 1 root root 86 ...   <-- regular file, NOT a symlink

cat /etc/NetworkManager/NetworkManager.conf
# Empty - no dns= directive
```

NetworkManager was generating `/etc/resolv.conf` directly instead of going through systemd-resolved. Tailscale needs systemd-resolved to handle MagicDNS (.ts.net) queries.

## Fix

### Fix 1: Accept Routes
```bash
sudo tailscale set --accept-routes
```

### Fix 2: Wire NetworkManager to systemd-resolved

Step 1 - Tell NetworkManager to use systemd-resolved as DNS backend:
```bash
sudo tee /etc/NetworkManager/conf.d/dns.conf > /dev/null << 'EOF'
[main]
dns=systemd-resolved
EOF
```

Step 2 - Fix the resolv.conf symlink:
```bash
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
```

Step 3 - Restart services:
```bash
sudo systemctl restart NetworkManager
sudo systemctl restart systemd-resolved
sudo systemctl restart tailscaled
```

## Verification

```bash
resolvectl status
# resolv.conf mode: stub   <-- CORRECT

tailscale status
# No health warnings

ping d2testnas
# PING d2testnas.tailea2889.ts.net (100.85.152.90) - MagicDNS working
```

## Why This Happens

CachyOS (and many Arch installs) ship with both NetworkManager and systemd-resolved active, but NetworkManager isn't configured to delegate DNS to systemd-resolved. It writes `/etc/resolv.conf` directly, bypassing the resolved stub. Tailscale configures its MagicDNS via systemd-resolved's D-Bus API, so if resolved isn't actually handling queries, `.ts.net` names won't resolve.