fix(tazjin/koptevo): let gonic access /etc/resolv.conf

Without this line, accessing external APIs from Gonic (e.g. scrobbling to Listenbrainz) does not work (unless a local resolver exists). This is because in the pure Go DNS implementation used in gonic, only /etc/resolv.conf can provide resolvers. Change-Id: I26dd9a845b0a70c4cfb983c68da2b76b7e57dfec Reviewed-on: https://cl.tvl.fyi/c/depot/+/9502 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-10-02 00:53:57 +03:00 · 2023-10-02 00:53:57 +03:00 · 63d3d8cc35
commit 63d3d8cc35
parent ac94bf46a6
1 changed files with 6 additions and 0 deletions
--- a/users/tazjin/nixos/koptevo/default.nix
+++ b/users/tazjin/nixos/koptevo/default.nix
@ -146,6 +146,12 @@ in
    };
  };

+  # hack to work around the strict sandboxing of the gonic module
+  # breaking DNS resolutino
+  systemd.services.gonic.serviceConfig.BindReadOnlyPaths = [
+    "-/etc/resolv.conf"
+  ];
+
  services.nginx.virtualHosts."music.tazj.in" = {
    addSSL = true;
    enableACME = true;