From 87f425b1c69057f627bd3dcfbd74ecfde2230a28 Mon Sep 17 00:00:00 2001
From: Lander Van den Bulcke <landervandenbulcke@gmail.com>
Date: Sun, 21 Sep 2025 11:44:19 +0200
Subject: [PATCH 1/2] feat: prevent dns leaks

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
---
 hosts/servers/hosting-02.nix     |  1 +
 modules/nixos/namespaced-vpn.nix | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/hosts/servers/hosting-02.nix b/hosts/servers/hosting-02.nix
index 83af31b..491c495 100644
--- a/hosts/servers/hosting-02.nix
+++ b/hosts/servers/hosting-02.nix
@@ -23,6 +23,7 @@
     publicKey = "KkShcqgwbkX2A9n1hhST6qu+m3ldxdJ2Lx8Eiw6mdXw=";
     endpoint = "146.70.117.226:51820";
     privateKeyFile = config.sops.secrets.wireguardKey.path;
+    dns = "10.64.0.1";
   };
 
   services.storagebox = {
diff --git a/modules/nixos/namespaced-vpn.nix b/modules/nixos/namespaced-vpn.nix
index b6f7a2a..e95e2c0 100644
--- a/modules/nixos/namespaced-vpn.nix
+++ b/modules/nixos/namespaced-vpn.nix
@@ -47,6 +47,11 @@ in
       type = types.str;
       default = "10.10.10.2/30";
     };
+
+    dns = mkOption {
+      type = types.str;
+      default = "9.9.9.9";
+    };
   };
 
   config = mkIf cfg.enable {
@@ -138,5 +143,10 @@ in
       };
     };
 
+    environment.etc."netns/${cfg.namespace}/resolv.conf" = {
+      text = ''
+        nameserver ${cfg.dns}
+      '';
+    };
   };
 }

From a3bd66771e1747039bfdef18767778f380b8e1d9 Mon Sep 17 00:00:00 2001
From: Lander Van den Bulcke <landervandenbulcke@gmail.com>
Date: Sun, 21 Sep 2025 11:53:33 +0200
Subject: [PATCH 2/2] feat: add gonic

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
---
 hosts/servers/hosting-02.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/hosts/servers/hosting-02.nix b/hosts/servers/hosting-02.nix
index 491c495..b6eb4d8 100644
--- a/hosts/servers/hosting-02.nix
+++ b/hosts/servers/hosting-02.nix
@@ -68,6 +68,24 @@
     };
   };
 
+  services.gonic = {
+    enable = true;
+    settings = {
+      music-path = [ "/data/music" ];
+      podcast-path = [ "/data/podcast" ];
+      playlists-path = [ "/data/playlists" ];
+    };
+  };
+
+  services.nginx.virtualHosts."music.escapeangle.com" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:4747";
+      proxyWebsockets = true;
+    };
+  };
+
   sops = {
     defaultSopsFile = ./hosting-02.yaml;
     secrets = {