summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/vidhar/prometheus/default.nix25
1 files changed, 13 insertions, 12 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index 76c79689..51ead7e2 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -207,18 +207,19 @@ in {
207 path = with pkgs; [ nftables ]; 207 path = with pkgs; [ nftables ];
208 serviceConfig = { 208 serviceConfig = {
209 Restart = "always"; 209 Restart = "always";
210 PrivateTmp = true; 210
211 WorkingDirectory = "/tmp"; 211 # PrivateTmp = true;
212 CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"]; 212 # WorkingDirectory = "/tmp";
213 DynamicUser = true; 213 # CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];
214 DeviceAllow = [""]; 214 # DynamicUser = true;
215 LockPersonality = true; 215 # DeviceAllow = [""];
216 MemoryDenyWriteExecute = true; 216 # LockPersonality = true;
217 NoNewPrivileges = true; 217 # MemoryDenyWriteExecute = true;
218 PrivateDevices = true; 218 # NoNewPrivileges = true;
219 ProtectClock = true; 219 # PrivateDevices = true;
220 ProtectControlGroups = true; 220 # ProtectClock = true;
221 ProtectHome = true; 221 # ProtectControlGroups = true;
222 # ProtectHome = true;
222 ProtectHostname = true; 223 ProtectHostname = true;
223 ProtectKernelLogs = true; 224 ProtectKernelLogs = true;
224 ProtectKernelModules = true; 225 ProtectKernelModules = true;