diff options
| -rw-r--r-- | hosts/vidhar/prometheus/default.nix | 6 | 
1 files changed, 3 insertions, 3 deletions
| diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index da34e7ba..76c79689 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix | |||
| @@ -209,7 +209,8 @@ in { | |||
| 209 | Restart = "always"; | 209 | Restart = "always"; | 
| 210 | PrivateTmp = true; | 210 | PrivateTmp = true; | 
| 211 | WorkingDirectory = "/tmp"; | 211 | WorkingDirectory = "/tmp"; | 
| 212 | CapabilityBoundingSet = [""]; | 212 | CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"]; | 
| 213 | DynamicUser = true; | ||
| 213 | DeviceAllow = [""]; | 214 | DeviceAllow = [""]; | 
| 214 | LockPersonality = true; | 215 | LockPersonality = true; | 
| 215 | MemoryDenyWriteExecute = true; | 216 | MemoryDenyWriteExecute = true; | 
| @@ -224,13 +225,12 @@ in { | |||
| 224 | ProtectKernelTunables = true; | 225 | ProtectKernelTunables = true; | 
| 225 | ProtectSystem = "strict"; | 226 | ProtectSystem = "strict"; | 
| 226 | RemoveIPC = true; | 227 | RemoveIPC = true; | 
| 227 | RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ]; | ||
| 228 | RestrictNamespaces = true; | 228 | RestrictNamespaces = true; | 
| 229 | RestrictRealtime = true; | 229 | RestrictRealtime = true; | 
| 230 | RestrictSUIDSGID = true; | 230 | RestrictSUIDSGID = true; | 
| 231 | SystemCallArchitectures = "native"; | 231 | SystemCallArchitectures = "native"; | 
| 232 | UMask = "0077"; | 232 | UMask = "0077"; | 
| 233 | AmbientCapabilities = [ "CAP_NET_RAW" "CAP_NET_ADMIN" ]; | 233 | AmbientCapabilities = [ "CAP_NET_ADMIN" ]; | 
| 234 | 234 | ||
| 235 | Type = "simple"; | 235 | Type = "simple"; | 
| 236 | ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter"; | 236 | ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter"; | 
