...

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-01-01 17:27:57 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-01-01 17:27:57 +0100
commit: ee4098134e21f6c1ca6eda7c33cd15efdc1923a7 (patch)
tree: b5643afa202b1242edc7920a64ef84b837e7f3f8 /hosts/vidhar
parent: b7651f2b5270e43ac37240a706164fc5a708f39f (diff)
download: nixos-ee4098134e21f6c1ca6eda7c33cd15efdc1923a7.tar
nixos-ee4098134e21f6c1ca6eda7c33cd15efdc1923a7.tar.gz
nixos-ee4098134e21f6c1ca6eda7c33cd15efdc1923a7.tar.bz2
nixos-ee4098134e21f6c1ca6eda7c33cd15efdc1923a7.tar.xz
nixos-ee4098134e21f6c1ca6eda7c33cd15efdc1923a7.zip
1 files changed, 6 insertions, 6 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index 780d30ce..3d0af319 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -208,12 +208,12 @@ in {
      serviceConfig = {
        Restart = "always";
-        # PrivateTmp = true;
+        PrivateTmp = true;
-        # WorkingDirectory = "/tmp";
+        WorkingDirectory = "/tmp";
-        # CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];
+        CapabilityBoundingSet = ["CAP_NET_ADMIN"];
-        # DynamicUser = true;
+        DynamicUser = true;
-        # DeviceAllow = [""];
+        DeviceAllow = [""];
-        # LockPersonality = true;
+        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-01-01 17:27:57 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-01-01 17:27:57 +0100
commit	ee4098134e21f6c1ca6eda7c33cd15efdc1923a7 (patch)
tree	b5643afa202b1242edc7920a64ef84b837e7f3f8 /hosts/vidhar
parent	b7651f2b5270e43ac37240a706164fc5a708f39f (diff)
download	nixos-ee4098134e21f6c1ca6eda7c33cd15efdc1923a7.tar nixos-ee4098134e21f6c1ca6eda7c33cd15efdc1923a7.tar.gz nixos-ee4098134e21f6c1ca6eda7c33cd15efdc1923a7.tar.bz2 nixos-ee4098134e21f6c1ca6eda7c33cd15efdc1923a7.tar.xz nixos-ee4098134e21f6c1ca6eda7c33cd15efdc1923a7.zip

diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index 780d30ce..3d0af319 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix
@@ -208,12 +208,12 @@ in {
208	serviceConfig = {	208	serviceConfig = {
209	Restart = "always";	209	Restart = "always";
210		210
211	# PrivateTmp = true;	211	PrivateTmp = true;
212	# WorkingDirectory = "/tmp";	212	WorkingDirectory = "/tmp";
213	# CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];	213	CapabilityBoundingSet = ["CAP_NET_ADMIN"];
214	# DynamicUser = true;	214	DynamicUser = true;
215	# DeviceAllow = [""];	215	DeviceAllow = [""];
216	# LockPersonality = true;	216	LockPersonality = true;
217	MemoryDenyWriteExecute = true;	217	MemoryDenyWriteExecute = true;
218	NoNewPrivileges = true;	218	NoNewPrivileges = true;
219	PrivateDevices = true;	219	PrivateDevices = true;