diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-01 17:10:42 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-01 17:10:42 +0100 |
commit | 66852648fba1d64fee1a357ae774e905a778a08e (patch) | |
tree | 90390d1eeb36bdb7883ceac7ff807381e499a396 | |
parent | 3336fa2007b9a879e8835badc645dca6ba6123cd (diff) | |
download | nixos-66852648fba1d64fee1a357ae774e905a778a08e.tar nixos-66852648fba1d64fee1a357ae774e905a778a08e.tar.gz nixos-66852648fba1d64fee1a357ae774e905a778a08e.tar.bz2 nixos-66852648fba1d64fee1a357ae774e905a778a08e.tar.xz nixos-66852648fba1d64fee1a357ae774e905a778a08e.zip |
...
-rw-r--r-- | hosts/vidhar/prometheus/default.nix | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index da34e7ba..76c79689 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix | |||
@@ -209,7 +209,8 @@ in { | |||
209 | Restart = "always"; | 209 | Restart = "always"; |
210 | PrivateTmp = true; | 210 | PrivateTmp = true; |
211 | WorkingDirectory = "/tmp"; | 211 | WorkingDirectory = "/tmp"; |
212 | CapabilityBoundingSet = [""]; | 212 | CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"]; |
213 | DynamicUser = true; | ||
213 | DeviceAllow = [""]; | 214 | DeviceAllow = [""]; |
214 | LockPersonality = true; | 215 | LockPersonality = true; |
215 | MemoryDenyWriteExecute = true; | 216 | MemoryDenyWriteExecute = true; |
@@ -224,13 +225,12 @@ in { | |||
224 | ProtectKernelTunables = true; | 225 | ProtectKernelTunables = true; |
225 | ProtectSystem = "strict"; | 226 | ProtectSystem = "strict"; |
226 | RemoveIPC = true; | 227 | RemoveIPC = true; |
227 | RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ]; | ||
228 | RestrictNamespaces = true; | 228 | RestrictNamespaces = true; |
229 | RestrictRealtime = true; | 229 | RestrictRealtime = true; |
230 | RestrictSUIDSGID = true; | 230 | RestrictSUIDSGID = true; |
231 | SystemCallArchitectures = "native"; | 231 | SystemCallArchitectures = "native"; |
232 | UMask = "0077"; | 232 | UMask = "0077"; |
233 | AmbientCapabilities = [ "CAP_NET_RAW" "CAP_NET_ADMIN" ]; | 233 | AmbientCapabilities = [ "CAP_NET_ADMIN" ]; |
234 | 234 | ||
235 | Type = "simple"; | 235 | Type = "simple"; |
236 | ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter"; | 236 | ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter"; |