summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-01-01 17:10:42 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-01-01 17:10:42 +0100
commit66852648fba1d64fee1a357ae774e905a778a08e (patch)
tree90390d1eeb36bdb7883ceac7ff807381e499a396
parent3336fa2007b9a879e8835badc645dca6ba6123cd (diff)
downloadnixos-66852648fba1d64fee1a357ae774e905a778a08e.tar
nixos-66852648fba1d64fee1a357ae774e905a778a08e.tar.gz
nixos-66852648fba1d64fee1a357ae774e905a778a08e.tar.bz2
nixos-66852648fba1d64fee1a357ae774e905a778a08e.tar.xz
nixos-66852648fba1d64fee1a357ae774e905a778a08e.zip
...
-rw-r--r--hosts/vidhar/prometheus/default.nix6
1 files changed, 3 insertions, 3 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index da34e7ba..76c79689 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -209,7 +209,8 @@ in {
209 Restart = "always"; 209 Restart = "always";
210 PrivateTmp = true; 210 PrivateTmp = true;
211 WorkingDirectory = "/tmp"; 211 WorkingDirectory = "/tmp";
212 CapabilityBoundingSet = [""]; 212 CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];
213 DynamicUser = true;
213 DeviceAllow = [""]; 214 DeviceAllow = [""];
214 LockPersonality = true; 215 LockPersonality = true;
215 MemoryDenyWriteExecute = true; 216 MemoryDenyWriteExecute = true;
@@ -224,13 +225,12 @@ in {
224 ProtectKernelTunables = true; 225 ProtectKernelTunables = true;
225 ProtectSystem = "strict"; 226 ProtectSystem = "strict";
226 RemoveIPC = true; 227 RemoveIPC = true;
227 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ];
228 RestrictNamespaces = true; 228 RestrictNamespaces = true;
229 RestrictRealtime = true; 229 RestrictRealtime = true;
230 RestrictSUIDSGID = true; 230 RestrictSUIDSGID = true;
231 SystemCallArchitectures = "native"; 231 SystemCallArchitectures = "native";
232 UMask = "0077"; 232 UMask = "0077";
233 AmbientCapabilities = [ "CAP_NET_RAW" "CAP_NET_ADMIN" ]; 233 AmbientCapabilities = [ "CAP_NET_ADMIN" ];
234 234
235 Type = "simple"; 235 Type = "simple";
236 ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter"; 236 ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter";