diff options
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/surtr/tls/default.nix | 5 | ||||
| -rw-r--r-- | hosts/vidhar/prometheus/default.nix | 4 |
2 files changed, 5 insertions, 4 deletions
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index 9b1fd1f3..d4eb1fb0 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix | |||
| @@ -96,7 +96,10 @@ in { | |||
| 96 | serviceAttrset = domain: { | 96 | serviceAttrset = domain: { |
| 97 | after = [ "knot.service" ]; | 97 | after = [ "knot.service" ]; |
| 98 | bindsTo = [ "knot.service" ]; | 98 | bindsTo = [ "knot.service" ]; |
| 99 | serviceConfig.LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"]; | 99 | serviceConfig = { |
| 100 | LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"]; | ||
| 101 | SystemCallFilter = mkForce [ "@system-service" "~@privileged" "@chown" ]; | ||
| 102 | }; | ||
| 100 | }; | 103 | }; |
| 101 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); | 104 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); |
| 102 | 105 | ||
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index de7837dc..a8246e8c 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix | |||
| @@ -400,9 +400,7 @@ in { | |||
| 400 | 400 | ||
| 401 | systemd.services.prometheus = { | 401 | systemd.services.prometheus = { |
| 402 | serviceConfig = { | 402 | serviceConfig = { |
| 403 | SystemCallFilter = [ | 403 | SystemCallFilter = mkForce [ "@system-service" "~@privileged" ]; |
| 404 | "@resources" | ||
| 405 | ]; | ||
| 406 | }; | 404 | }; |
| 407 | }; | 405 | }; |
| 408 | 406 | ||