1 files changed, 13 insertions, 12 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index 76c79689..51ead7e2 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -207,18 +207,19 @@ in {
      path = with pkgs; [ nftables ];
      serviceConfig = {
        Restart = "always";
-        PrivateTmp = true;
-        WorkingDirectory = "/tmp";
+        # PrivateTmp = true;
-        CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];
+        # WorkingDirectory = "/tmp";
-        DynamicUser = true;
+        # CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];
-        DeviceAllow = [""];
+        # DynamicUser = true;
-        LockPersonality = true;
+        # DeviceAllow = [""];
-        MemoryDenyWriteExecute = true;
+        # LockPersonality = true;
-        NoNewPrivileges = true;
+        # MemoryDenyWriteExecute = true;
-        PrivateDevices = true;
+        # NoNewPrivileges = true;
-        ProtectClock = true;
+        # PrivateDevices = true;
-        ProtectControlGroups = true;
+        # ProtectClock = true;
-        ProtectHome = true;
+        # ProtectControlGroups = true;
+        # ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;

diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index 76c79689..51ead7e2 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix
@@ -207,18 +207,19 @@ in {
207	path = with pkgs; [ nftables ];	207	path = with pkgs; [ nftables ];
208	serviceConfig = {	208	serviceConfig = {
209	Restart = "always";	209	Restart = "always";
210	PrivateTmp = true;	210
211	WorkingDirectory = "/tmp";	211	# PrivateTmp = true;
212	CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];	212	# WorkingDirectory = "/tmp";
213	DynamicUser = true;	213	# CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];
214	DeviceAllow = [""];	214	# DynamicUser = true;
215	LockPersonality = true;	215	# DeviceAllow = [""];
216	MemoryDenyWriteExecute = true;	216	# LockPersonality = true;
217	NoNewPrivileges = true;	217	# MemoryDenyWriteExecute = true;
218	PrivateDevices = true;	218	# NoNewPrivileges = true;
219	ProtectClock = true;	219	# PrivateDevices = true;
220	ProtectControlGroups = true;	220	# ProtectClock = true;
221	ProtectHome = true;	221	# ProtectControlGroups = true;
		222	# ProtectHome = true;
222	ProtectHostname = true;	223	ProtectHostname = true;
223	ProtectKernelLogs = true;	224	ProtectKernelLogs = true;
224	ProtectKernelModules = true;	225	ProtectKernelModules = true;