summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
Diffstat (limited to 'hosts')
-rw-r--r--hosts/vidhar/prometheus/default.nix6
1 files changed, 3 insertions, 3 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index da34e7ba..76c79689 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -209,7 +209,8 @@ in {
209 Restart = "always"; 209 Restart = "always";
210 PrivateTmp = true; 210 PrivateTmp = true;
211 WorkingDirectory = "/tmp"; 211 WorkingDirectory = "/tmp";
212 CapabilityBoundingSet = [""]; 212 CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];
213 DynamicUser = true;
213 DeviceAllow = [""]; 214 DeviceAllow = [""];
214 LockPersonality = true; 215 LockPersonality = true;
215 MemoryDenyWriteExecute = true; 216 MemoryDenyWriteExecute = true;
@@ -224,13 +225,12 @@ in {
224 ProtectKernelTunables = true; 225 ProtectKernelTunables = true;
225 ProtectSystem = "strict"; 226 ProtectSystem = "strict";
226 RemoveIPC = true; 227 RemoveIPC = true;
227 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ];
228 RestrictNamespaces = true; 228 RestrictNamespaces = true;
229 RestrictRealtime = true; 229 RestrictRealtime = true;
230 RestrictSUIDSGID = true; 230 RestrictSUIDSGID = true;
231 SystemCallArchitectures = "native"; 231 SystemCallArchitectures = "native";
232 UMask = "0077"; 232 UMask = "0077";
233 AmbientCapabilities = [ "CAP_NET_RAW" "CAP_NET_ADMIN" ]; 233 AmbientCapabilities = [ "CAP_NET_ADMIN" ];
234 234
235 Type = "simple"; 235 Type = "simple";
236 ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter"; 236 ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter";