diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-01 17:10:42 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-01 17:10:42 +0100 |
| commit | 66852648fba1d64fee1a357ae774e905a778a08e (patch) | |
| tree | 90390d1eeb36bdb7883ceac7ff807381e499a396 /hosts/vidhar | |
| parent | 3336fa2007b9a879e8835badc645dca6ba6123cd (diff) | |
| download | nixos-66852648fba1d64fee1a357ae774e905a778a08e.tar nixos-66852648fba1d64fee1a357ae774e905a778a08e.tar.gz nixos-66852648fba1d64fee1a357ae774e905a778a08e.tar.bz2 nixos-66852648fba1d64fee1a357ae774e905a778a08e.tar.xz nixos-66852648fba1d64fee1a357ae774e905a778a08e.zip | |
...
Diffstat (limited to 'hosts/vidhar')
| -rw-r--r-- | hosts/vidhar/prometheus/default.nix | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index da34e7ba..76c79689 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix | |||
| @@ -209,7 +209,8 @@ in { | |||
| 209 | Restart = "always"; | 209 | Restart = "always"; |
| 210 | PrivateTmp = true; | 210 | PrivateTmp = true; |
| 211 | WorkingDirectory = "/tmp"; | 211 | WorkingDirectory = "/tmp"; |
| 212 | CapabilityBoundingSet = [""]; | 212 | CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"]; |
| 213 | DynamicUser = true; | ||
| 213 | DeviceAllow = [""]; | 214 | DeviceAllow = [""]; |
| 214 | LockPersonality = true; | 215 | LockPersonality = true; |
| 215 | MemoryDenyWriteExecute = true; | 216 | MemoryDenyWriteExecute = true; |
| @@ -224,13 +225,12 @@ in { | |||
| 224 | ProtectKernelTunables = true; | 225 | ProtectKernelTunables = true; |
| 225 | ProtectSystem = "strict"; | 226 | ProtectSystem = "strict"; |
| 226 | RemoveIPC = true; | 227 | RemoveIPC = true; |
| 227 | RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ]; | ||
| 228 | RestrictNamespaces = true; | 228 | RestrictNamespaces = true; |
| 229 | RestrictRealtime = true; | 229 | RestrictRealtime = true; |
| 230 | RestrictSUIDSGID = true; | 230 | RestrictSUIDSGID = true; |
| 231 | SystemCallArchitectures = "native"; | 231 | SystemCallArchitectures = "native"; |
| 232 | UMask = "0077"; | 232 | UMask = "0077"; |
| 233 | AmbientCapabilities = [ "CAP_NET_RAW" "CAP_NET_ADMIN" ]; | 233 | AmbientCapabilities = [ "CAP_NET_ADMIN" ]; |
| 234 | 234 | ||
| 235 | Type = "simple"; | 235 | Type = "simple"; |
| 236 | ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter"; | 236 | ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter"; |