From 4dc22160a80b98afb1a47fc49dfd88500befabd9 Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Wed, 19 Apr 2023 08:04:32 +0200
Subject: [PATCH] mediaserver: configure nameserver

---
 secret/container/additional-media/default.nix | Bin 2221 -> 2384 bytes
 system/hosts/mediaserver.nix                  |  10 ----------
 system/nixos/radarr.nix                       |   4 ++++
 system/nixos/sabnzbd.nix                      |   4 ++++
 system/nixos/sonarr.nix                       |   4 ++++
 5 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/secret/container/additional-media/default.nix b/secret/container/additional-media/default.nix
index 4f1b49ef75790153797d0d8cb1e8ed93a58ee817..491f0ad33555a0292a30e7568bfa1c85eec393b7 100644
GIT binary patch
literal 2384
zcmV-W39t45M@dveQdv+`059E86l>7SJ!lViKD<61zlc#r1OK=&wcbWOs0`Qpt*UFU
zP4{Rc?VI|krwf$Dx}se(K|Y{}O)Z$gDxb;~oo~hiZgF^*b|VGab8ve-skFP7OUcN^
zq$U?mj_9!2#-hYHT>m=hfcB5gL-`j)H~&?(tzY*fz%8%3ga2lBQS^Mm!x|+qA^Ps*
zONaMDD2+TymbYMb_b}TiwmOiY5gGc@w3D9^%PO#Ne1v)qwKcutSdKv1@zHO59J>co
z`@Dlbzd9!=!|F5?_qYZ&$)g}vmouRIW<X$dA|MNIS<s=RJA0ki+bY7*CcB7eNBB--
zukkGQRabf0;38!+sMKlTqOggYpQoX9H_iNHaw%`?yEHVbNL%)UqH6p+QH<!qK6?Mb
z)bn8zM<MGpY;Z{5x73JNb_3KmIku;j19;t5CQr~DJRR+!`M;6ioZB}!H@oJ3oD15g
zL&teX*MAJ%7buY)Yok^xyHLxR9hrKi;vFgO-GY@X0)c?)DfuRz<moK-sN-nLy+Gh)
z``7I5xNzM^Fk@!bNm6vtOze8+Z?^m(HkE`HR%M6lC8KP<9p7*$h4HVryZIhu0Y>Qq
zkqTEmBj~;TPLJK+Gez3KA5uQ*@R^jAdvX7l;WtMGBzGn<;+!qBe4$|LB$U0FR;1ch
zXF1$M;rPW|VRKSqRBsDF7mkDL=odv6TMj$m8#;JKJc+sz8J<v<U#mQcb?VE{Tr6!V
z;rKDBTY`&6sYy>JRk<Q^Zmjzg2LjA^hEYJz9!0rqq<>eqv^Ige#4aS9PAc6|=JgTQ
z@c31m7Zt*{T9a6W|6QB^AlHNY{ht_;K8R*GkRN%yOkS4oM70z|Vm;x~;PJCl=bfCy
z;^BXli0%Ucw9|J%8WcpTTIT#e5@RA53qo(=d{<;&cp;||pJcCl?8;W+;>^Wf276x|
z;mNrBln_HPG4@&T%Cq$e(u=J225)H?H^ZOecX*pNTo5EiauYw0rin?Jm3HI10e6dD
z%D+TPHQ8K|URE4K8-ULQ*<`>{z>Lne3xJy!YSBKb$TxE8dO=h&qEt+p5EE$WDW9a;
zQ4y7(x#nRaY3d`5Ko@&*fHlMy+}8S6+{vUq!i^l>Gvrzz9i{VH?ZV4b6%(gYk_=Mn
zpK6~`bem*hS9VK-!qyzTfl4ARBfs1MNp!6kdsYz#muf@4&6*O?rK4>_lZC#xfH#L9
zM<T6&U~@Wyjf0m~+!XG%c!{_Y8SAPBc(ht4`59T=2qAZ58DcW_iGw~IK&@lKugpO;
z?V{tr>~UoXn3oi(#A7O8Q0B_y>ym2&Exuf1oYjQ4p_Z<<{_x8tGQTFSqn_W~j#%Lx
zOhA!JfWKTkk^iUQY<g7erWS0TqRO+t&&0yW3)~f1fE2VFsT=FKr0dpsB2o$lq_-jh
zP^>XD&}>5E>Vq~AY<haHCH`v#4DMoZC0C}a2*0jdAHjz4;-)6dWA|03#Qmvnb$Md$
zQvT@J1iEE0U9AfGh93xs!>p;ie;AZU<%FgpqJB>wJUu;C@AH0WLPGyo0`H&^h%QoZ
z6K?gd9pJ(SrKCRYtx{IVArqC`FntMMI;XpbKXqN!3JW(Ox&&-aBV&DE^g)#2RqI6+
zyIiqtAdsroXmaeg#ki;~4(7-pJj-6=i`H(Gq-y+DOv&Yt-h78545~+IGOE^y;FPem
zp;U1Hr7EyxNsLSPjavI`BKv<wvgpNT7!@k{mWZdCEPTl_Sb}$aecUb4b>2|$kr_!-
zd>t(XC=@r{mwMcv7@Lyg@tey8qQ_=wIiWZqU#4k3OPv^+o;~|$7KGuO|5UjVz?<`s
z$p8P0@x#}I>0BxvB0XS>3)!;Y0jTNxYEt%!Z~f`De4CUMDU2vpWEj4Av>LqMX6XXT
zOkK?^KNp(igX$tvp{h39|NR7!LwVa@Ps%>W!>g5`RAm*z7Nq&giefUYtgc6916bPs
z=FhyIY@oLRIQ`r8`Bj1tP=lxmp9Z8*ZAcoCkP?Ife8yp0%_s2Nl=_5T^6A@MakL)F
z&N4@XVRY4&D+y<DU#cA+dHpmH8T4{yuYPePBK8+orZ>;*D0xI)*BhEFvp!_@w^y5Q
z>Q3n3KD@c!lvJ!0qD2OwJTW|cGR=Wd;<#~EQ?w-5bK@1LEC^Y^QlwhcShA+xX0UU!
zd&(JUl0p3nji`frrs3W}xIN~4Hv*RF^Zk+jwf!EHd#s3gK?aGcYm+ks;q70J;nyFE
z&gi#0Fg3KoDa1Ha%we`wcV(#&QgS{kp?dc5VAzq0#?3R{{;Pk8itNm}c(^-9l%Th9
zO{w4vCYPE-;H?&sgBF6fon>5m!WRftzQjK8v>VcY>+Qb71Vop`ec~t`A8)|jTsmMU
zZ&SM%P1K#Tkw^6igxl9$vvkHu1ny+qL4P#%n#U+Zv08SxLcVF}W>%j8HRXrH9ry`~
zTHao#*wu{I{&Jn9jA2J;6uJXG2hf{w_V~@RZ^}s(=%Jz^pOWUlCugkPxWqs1u(P=9
zsPxMC3)1X$35MvX!eMT(@y>f{^%u&fGb9Z|qn2dRWxJBAFg)}sA2SnQISM$AJe5JV
z+0kC{a@_(YX^1tCKg=LQ+;x`xcdw5<k8mx!S1|JCXaV<?#POG}9L4sXrGL1T5a#s3
zZ_+V-VX|e>!RI&#vsi~1C5FV(j&eLad)D^dtEast=l=a@K2~5|A6!8D3^mjKiH`1n
zUWmY2TmG%>fh#LPC@W_dEl_evm+l_^N~zGQnk9OllU+`eb-pl4?h30i6tLVQ7zqP`
zxf4?J;nRm)UfYa!-oH$r@}Y!p{M>60a4bkz7=nzo!LW^VG~0JrfX?8zr_ZkYCPWNJ
zMHH&=>|m9zf~V)fWpqvlFU(P!RZ7+>e3<ikw*Imi;1oo8G~KGsI}PEvYG|gh;w<1a
zjOLTMk!dxIACjshvRhuy3$!QB7hoi-_PwG|Geo<1dde(kPrd^bkgxL}`_6F^fprKg
z3cYmKoRGN!6_mBgC>543l+Ke-HYE=565Sm8Duhf=25KX+)c$_aUAuD80o+wi<_n|J
zTFyvZPj)PjE|g=f7RI#uHF^Gufq$8_+;1Q=w0fd>qw$AC(Tze`_yjIh<fo#?YMevV
Cy|o$u

literal 2221
zcmV;e2vYX|M@dveQdv+`0Pp@X-4x_PU0Gen(6u41kP<a=?g}Fw1kWjBj`LoYR@xA`
zBA3hA=3b8AZsbw#K!uD`{fcFj;mht<23kA-mMS=OU$09OxPTw^YW$Fg<ZwlH4vl}4
z>sZ{aPcRJ!^rYzna9JWhVfPfPRc#_qOAiSAznP*)R=CgzJ#BPk)>HJQ3Fnp@UuxTw
zEx?^DpAJn85ZR_fp$4E^n7n~xIX@pS&L}fV3=@+SD4M7~@w6u~v2U+_dXNclE{Bq^
zo{iRV^X%a}hXR2kH@$_`#uK(qVi~*<BO-ymC9H$1Fw!W;u^%#Z4I9ajtp{^E(a%p*
zBu8&YdcBv1jojr_J<Pz;6>JWgIX&7l>X@$~b{30cl4R^aYz1WQ`o#ql);)0*vvlN~
z+v;&M$nbx=_HhmICQ%9E=UkR!!SimLnPI~pi{OYe4qt)If?}DA3F>bIxOx63kE)EP
zkq(}jAY(k8^y-k(!h@6GkCKC`jQtxkN6ROEreq2~F1?Hd)ez~PpC4$r;u_QIKL$RU
zn|XInwH-c!+f*+E-q(rAW}~y-0(9i#*u8VQo%{t(B7QoSASzOrx+tJgOhcN5)$Pn(
zoX6TXB7A`fK@%YFXfD!&9Z27THax1Kjsrp-*G0MmcCfa1%B8>~*%q@Hb(FlFC-<kW
zs|iVDWcy1{zFkikl&l91t~x`*Lz<-%Pn9JM^rLNrkdy!3gq=Le-YP?qq)+nhPv&L?
zGDwlQIsaAeY=w-WhpIVg@kt~x-}n*v^Ckws>gQDW=tp^6X8-vPCMznfQ30u{oQjNE
zTO#F@huGn0oc}@B0|X?&AjtYHBsBGUfCm#ZZEORl^m`g}ATcC1GOOK~ezmHBwoU!J
zJ2+6rreut^uPwnl!Jy*_!SSN}b?M^;X%*XELZg1gKIsUr-~m-^O9wbAUruk5<Q0Cn
z%d&+{b(a7Z31GI`#<D8g_+O}SSG%qoTGfu*0<o5A)%W}ndD6w+bXAn4=S6^NZ}|B4
zjDEN3`*fC4MF)4Smt0WGGis78{j=B~r|8PdeYbEUm`X5eEv#_U2_P|(pW<o6OMPLd
z&J;3uX$qUs*c^S?P9w>EliW`fXXvb{K0o?C@S?dZ=1X2W(UUV%;)~NGd8O2SizCRG
zw-7bCQH!&ZPLj|^>%JQwP(Ttef8$Kz+xo%?seaY5eVWjOi7}hh+NqQ*x=u|n6!WGZ
zoljNW&yaqf5BZLW$?j<?Gk59>Wa&SX=?T)iMVJw_P<{S$F1vKOxMSNm!+7hOX_>=q
z49~-qk-P}DBu)}jxbp5B5ap{i!FdCIpbuj95`^IEPFtxmi|S^4lKwUmk2Q!n5@^aV
zwHu~`aTMY?T#}|*ZL#yZqYW4r_#hdJJmoMKl(vk}@au*=Kh-7JjElA1tWoP1j7|nd
zdVQ59s(jNIN>bbL;{p#C0$G7HUAjhlO&oS}SQ@^P2;uhwV;4iv{<&i=bgG@pWTwL8
z`MkW8c9?5)EtELS8kRAUr^c2P)Y107Oj=YXohM*PW<ZlqLPt%8{GFz+mZ3zMttU^{
zF#=wf$w5fRIR$0bbX7_RZ<m5?!}lhGtXy%ty?)k>Y#l$lng~>M3yq~$=f_Rw_VRw1
z-<7SAO5i=ro^Gk4RG(XkEm$h2QL@UMVn~knh%tLRX-rk@Bpoe{Z8+T?A^)&}r9X4A
zocB<rS5sdiK^^U2n_0!EGR*qgkE8`Jv|BkOIY1I>6oIh)X<q+kMX%rTvp%~23jIgW
zZlQbIS<Jq8738XI@!|}k!+noXm}2I=-iH$*e}g9A5WqDu)l_W8G7A-vWv$j@cuwj@
zp27%6C;)fqvzUK%;RMSGy+x)OJ{gOnMpIkVav1WUooWZjQm<$QMZc8cZ*Fp!4Y5NL
zVpFfO1>5)ER1eEU;}ZxFzn;+-B9iV`&trUjsg#w@KV*6f1kW}(x>OsHb*yM0a=7WM
z>I&DW0fXFpWxX(Q9xKi+>a@tJ5I84LO)onhh{-!e#-^RURmH9br8_!7GiwIGTYV7s
z)efW00O#QVdrrEF`CH8V)8*2tD8>~M9k^Pi#H$p__Zio9<B@^XI(gJuYsmI^asTpx
zRzsB@sqg8=nc@2j8Imca8z4?B4#JXZ-KkEpN&xo0ewnTKqZ}da$3IEvD5N2`QDApo
zvk|EyHR9jwbRo7ku?NJ3JdhZZx@uGofKFOGRaY5b8)J6N+Auj0=KtjeHJpSm8ec{d
zyzv8qX)o5l{wN(|l0^2D6fXe7U`?_nIFHF#Z~ODnl}jo_v>wdHOcv0`DT0@!tdojf
zz5=u=c$${Gii1nknvZ>LEgY$18o42vW#FJM0CD$L?()~_gFYzI;N$w;0J&$i8zQ{Q
zy$YbJ;HYtL{RgV)&?8v43dptJ*>@?LoboGKcI6U10F2eF>Nr#qx7_z;GgPpWac4;4
zz;NK+FhfJPnWD?(aG$3G<!t(=Gy54$-_bN@#_1QD*VU5k|1$#nBzS%%QJHb~+Flpi
z$+3JR%$rJKIMS>zD#bMjG><0>5AbM>d}!8<2LFmi)V9IASv99{3tbFZD^ZW4hl~ZE
zq7K5sZv2EpBzuJ}Wgk_H$$R<Pdo7sZ9AzSuoNl@3i#QFu4@G*ma;6;jCAO=)PY2D=
zx>cRo28GxbFwVK&R--X~7WAlWhdI;Muc&iu##lp*PrJn}B}cbG-UMo2Q&)j@T2@qD
z{9&<4TLw33s2m%Axs=(JiAXP(MJ?yvuuWB1l=?w^K^svp=*X6?s;n^MNm@hkyUN*@
zShWmEaVMNSfr~Iijjt4*Z687eO7dFfwUl3->iWdP52~83(t(5p_`P0S6S*M2y}@l<
v3J7I`4K$sk?vGU*Y)EaS=?RptqGNyTV0LRN*V2H%3H1xO%Iyth2_{*$9_>Ts

diff --git a/system/hosts/mediaserver.nix b/system/hosts/mediaserver.nix
index 6517d7d..5e8f1ab 100644
--- a/system/hosts/mediaserver.nix
+++ b/system/hosts/mediaserver.nix
@@ -102,16 +102,6 @@ in
     };
   };
 
-  services.resolved.enable = false;
-
-  environment.etc."resolv.conf" = {
-    mode = "0644";
-    text = ''
-      search lan
-      nameserver 10.0.0.1
-    '';
-  };
-
   services.journald.extraConfig = ''
     SystemMaxUse=1G
   '';
diff --git a/system/nixos/radarr.nix b/system/nixos/radarr.nix
index e5c96c8..e7cc99a 100644
--- a/system/nixos/radarr.nix
+++ b/system/nixos/radarr.nix
@@ -14,6 +14,10 @@
 
     serviceConfig = {
       NetworkNamespacePath = "/var/run/netns/wg";
+      BindReadOnlyPaths = [
+        "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
+        "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
+      ];
     };
   };
 
diff --git a/system/nixos/sabnzbd.nix b/system/nixos/sabnzbd.nix
index bafaf1b..85b5be3 100644
--- a/system/nixos/sabnzbd.nix
+++ b/system/nixos/sabnzbd.nix
@@ -14,6 +14,10 @@
       User = "media_user";
       Group = "media_group";
       NetworkNamespacePath = "/var/run/netns/wg";
+      BindReadOnlyPaths = [
+        "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
+        "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
+      ];
       ExecStart = "${pkgs.sabnzbd}/bin/sabnzbd -d -f /var/lib/sabnzbd/sabnzbd.ini";
     };
   };
diff --git a/system/nixos/sonarr.nix b/system/nixos/sonarr.nix
index 801664f..4c45fbe 100644
--- a/system/nixos/sonarr.nix
+++ b/system/nixos/sonarr.nix
@@ -14,6 +14,10 @@
 
     serviceConfig = {
       NetworkNamespacePath = "/var/run/netns/wg";
+      BindReadOnlyPaths = [
+        "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
+        "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
+      ];
     };
   };