...

2 files changed, 5 insertions, 4 deletions

diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index 9b1fd1f3..d4eb1fb0 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -96,7 +96,10 @@ in {
         serviceAttrset = domain: {
           after = [ "knot.service" ];
           bindsTo = [ "knot.service" ];
-          serviceConfig.LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"];
+          serviceConfig = {
+            LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"];
+            SystemCallFilter = mkForce [ "@system-service" "~@privileged" "@chown" ];
+          };
         };
       in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
 
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index de7837dc..a8246e8c 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -400,9 +400,7 @@ in {
 
     systemd.services.prometheus = {
       serviceConfig = {
-        SystemCallFilter = [
-          "@resources"
-        ];
+        SystemCallFilter = mkForce [ "@system-service" "~@privileged" ];
       };
     };