2 files changed, 9 insertions, 3 deletions

diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix
index 0f0cf586..685d117b 100644
--- a/hosts/surtr/prometheus/default.nix
+++ b/hosts/surtr/prometheus/default.nix
@@ -203,6 +203,12 @@ in {
       };
     };
 
+    systemd.services.prometheus = {
+      serviceConfig = {
+        SystemCallFilter = mkForce [ "@system-service" "~@privileged" ];
+      };
+    };
+
     sops.secrets."prometheus.key" = {
       format = "binary";
       sopsFile = ./tls.key;
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index d4eb1fb0..0a3024d2 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -8,7 +8,7 @@ let
   tsigSecretName = domain: "${domain}_tsig-secret";
 
   cfg = config.security.acme;
-  
+
   domainOptions = {
     options = {
       wildcard = mkOption {
@@ -34,10 +34,10 @@ in {
       };
     };
   };
-  
+
   config = {
     security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email" "bouncy.email"] (domain: { wildcard = true; });
-    
+
     fileSystems."/var/lib/acme" =
       { device = "surtr/safe/var-lib-acme";
         fsType = "zfs";