summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-11-08 09:32:15 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-11-08 09:32:15 +0100
commitac9bdcb42a3396268aebda74b7a69b1a6a4117b5 (patch)
tree6518317405892055fd0c1fb30db19822914ea99c
parenta13b3508981258145a9a7b516225e66f20d82473 (diff)
downloadnixos-ac9bdcb42a3396268aebda74b7a69b1a6a4117b5.tar
nixos-ac9bdcb42a3396268aebda74b7a69b1a6a4117b5.tar.gz
nixos-ac9bdcb42a3396268aebda74b7a69b1a6a4117b5.tar.bz2
nixos-ac9bdcb42a3396268aebda74b7a69b1a6a4117b5.tar.xz
nixos-ac9bdcb42a3396268aebda74b7a69b1a6a4117b5.zip
...
-rw-r--r--hosts/surtr/tls/default.nix5
-rw-r--r--hosts/vidhar/prometheus/default.nix4
2 files changed, 5 insertions, 4 deletions
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index 9b1fd1f3..d4eb1fb0 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -96,7 +96,10 @@ in {
96 serviceAttrset = domain: { 96 serviceAttrset = domain: {
97 after = [ "knot.service" ]; 97 after = [ "knot.service" ];
98 bindsTo = [ "knot.service" ]; 98 bindsTo = [ "knot.service" ];
99 serviceConfig.LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"]; 99 serviceConfig = {
100 LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"];
101 SystemCallFilter = mkForce [ "@system-service" "~@privileged" "@chown" ];
102 };
100 }; 103 };
101 in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); 104 in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
102 105
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index de7837dc..a8246e8c 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -400,9 +400,7 @@ in {
400 400
401 systemd.services.prometheus = { 401 systemd.services.prometheus = {
402 serviceConfig = { 402 serviceConfig = {
403 SystemCallFilter = [ 403 SystemCallFilter = mkForce [ "@system-service" "~@privileged" ];
404 "@resources"
405 ];
406 }; 404 };
407 }; 405 };
408 406