about summary refs log tree commit diff
path: root/users/tazjin/nixos/koptevo
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@tvl.su>2023-10-01T21·53+0300
committertazjin <tazjin@tvl.su>2023-10-01T22·15+0000
commit63d3d8cc35c58f8cde5f57f4fc551cb15e9bed1f (patch)
tree25bbce12e30d279f4ace396b892052305feb1fbe /users/tazjin/nixos/koptevo
parentac94bf46a62d32066f47c88b965f98cb2b01fe5e (diff)
fix(tazjin/koptevo): let gonic access /etc/resolv.conf r/6684
Without this line, accessing external APIs from Gonic (e.g. scrobbling
to Listenbrainz) does not work (unless a local resolver exists). This
is because in the pure Go DNS implementation used in gonic, only
/etc/resolv.conf can provide resolvers.

Change-Id: I26dd9a845b0a70c4cfb983c68da2b76b7e57dfec
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9502
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Diffstat (limited to 'users/tazjin/nixos/koptevo')
-rw-r--r--users/tazjin/nixos/koptevo/default.nix6
1 files changed, 6 insertions, 0 deletions
diff --git a/users/tazjin/nixos/koptevo/default.nix b/users/tazjin/nixos/koptevo/default.nix
index 8149070a8d53..c1ac3571fd64 100644
--- a/users/tazjin/nixos/koptevo/default.nix
+++ b/users/tazjin/nixos/koptevo/default.nix
@@ -146,6 +146,12 @@ in
     };
   };
 
+  # hack to work around the strict sandboxing of the gonic module
+  # breaking DNS resolutino
+  systemd.services.gonic.serviceConfig.BindReadOnlyPaths = [
+    "-/etc/resolv.conf"
+  ];
+
   services.nginx.virtualHosts."music.tazj.in" = {
     addSSL = true;
     enableACME = true;