From 63d3d8cc35c58f8cde5f57f4fc551cb15e9bed1f Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@tvl.su>
Date: Mon, 2 Oct 2023 00:53:57 +0300
Subject: fix(tazjin/koptevo): let gonic access /etc/resolv.conf

Without this line, accessing external APIs from Gonic (e.g. scrobbling
to Listenbrainz) does not work (unless a local resolver exists). This
is because in the pure Go DNS implementation used in gonic, only
/etc/resolv.conf can provide resolvers.

Change-Id: I26dd9a845b0a70c4cfb983c68da2b76b7e57dfec
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9502
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
---
 users/tazjin/nixos/koptevo/default.nix | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'users/tazjin/nixos')

diff --git a/users/tazjin/nixos/koptevo/default.nix b/users/tazjin/nixos/koptevo/default.nix
index 8149070a8d53..c1ac3571fd64 100644
--- a/users/tazjin/nixos/koptevo/default.nix
+++ b/users/tazjin/nixos/koptevo/default.nix
@@ -146,6 +146,12 @@ in
     };
   };
 
+  # hack to work around the strict sandboxing of the gonic module
+  # breaking DNS resolutino
+  systemd.services.gonic.serviceConfig.BindReadOnlyPaths = [
+    "-/etc/resolv.conf"
+  ];
+
   services.nginx.virtualHosts."music.tazj.in" = {
     addSSL = true;
     enableACME = true;
-- 
cgit 1.4.1