summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-01-01 17:12:29 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-01-01 17:12:29 +0100
commit20a5b98a3acd1ebfc1c30f4897662b41e7ec966d (patch)
tree442ecba39485eca48880ded7150e5cd182a94bac
parent66852648fba1d64fee1a357ae774e905a778a08e (diff)
downloadnixos-20a5b98a3acd1ebfc1c30f4897662b41e7ec966d.tar
nixos-20a5b98a3acd1ebfc1c30f4897662b41e7ec966d.tar.gz
nixos-20a5b98a3acd1ebfc1c30f4897662b41e7ec966d.tar.bz2
nixos-20a5b98a3acd1ebfc1c30f4897662b41e7ec966d.tar.xz
nixos-20a5b98a3acd1ebfc1c30f4897662b41e7ec966d.zip
...
-rw-r--r--hosts/vidhar/prometheus/default.nix25
1 files changed, 13 insertions, 12 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index 76c79689..51ead7e2 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -207,18 +207,19 @@ in {
207 path = with pkgs; [ nftables ]; 207 path = with pkgs; [ nftables ];
208 serviceConfig = { 208 serviceConfig = {
209 Restart = "always"; 209 Restart = "always";
210 PrivateTmp = true; 210
211 WorkingDirectory = "/tmp"; 211 # PrivateTmp = true;
212 CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"]; 212 # WorkingDirectory = "/tmp";
213 DynamicUser = true; 213 # CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];
214 DeviceAllow = [""]; 214 # DynamicUser = true;
215 LockPersonality = true; 215 # DeviceAllow = [""];
216 MemoryDenyWriteExecute = true; 216 # LockPersonality = true;
217 NoNewPrivileges = true; 217 # MemoryDenyWriteExecute = true;
218 PrivateDevices = true; 218 # NoNewPrivileges = true;
219 ProtectClock = true; 219 # PrivateDevices = true;
220 ProtectControlGroups = true; 220 # ProtectClock = true;
221 ProtectHome = true; 221 # ProtectControlGroups = true;
222 # ProtectHome = true;
222 ProtectHostname = true; 223 ProtectHostname = true;
223 ProtectKernelLogs = true; 224 ProtectKernelLogs = true;
224 ProtectKernelModules = true; 225 ProtectKernelModules = true;