1 files changed, 6 insertions, 6 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index 780d30ce..3d0af319 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -208,12 +208,12 @@ in {
      serviceConfig = {
        Restart = "always";
-        # PrivateTmp = true;
+        PrivateTmp = true;
-        # WorkingDirectory = "/tmp";
+        WorkingDirectory = "/tmp";
-        # CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];
+        CapabilityBoundingSet = ["CAP_NET_ADMIN"];
-        # DynamicUser = true;
+        DynamicUser = true;
-        # DeviceAllow = [""];
+        DeviceAllow = [""];
-        # LockPersonality = true;
+        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        NoNewPrivileges = true;
        PrivateDevices = true;

diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index 780d30ce..3d0af319 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix
@@ -208,12 +208,12 @@ in {
208	serviceConfig = {	208	serviceConfig = {
209	Restart = "always";	209	Restart = "always";
210		210
211	# PrivateTmp = true;	211	PrivateTmp = true;
212	# WorkingDirectory = "/tmp";	212	WorkingDirectory = "/tmp";
213	# CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];	213	CapabilityBoundingSet = ["CAP_NET_ADMIN"];
214	# DynamicUser = true;	214	DynamicUser = true;
215	# DeviceAllow = [""];	215	DeviceAllow = [""];
216	# LockPersonality = true;	216	LockPersonality = true;
217	MemoryDenyWriteExecute = true;	217	MemoryDenyWriteExecute = true;
218	NoNewPrivileges = true;	218	NoNewPrivileges = true;
219	PrivateDevices = true;	219	PrivateDevices = true;