From e1cae7cc17d7ad9d062bf7f561ee90712b51b5e8 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 8 Nov 2022 09:38:18 +0100 Subject: ... --- hosts/surtr/prometheus/default.nix | 6 ++++++ hosts/surtr/tls/default.nix | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix index 0f0cf586..685d117b 100644 --- a/hosts/surtr/prometheus/default.nix +++ b/hosts/surtr/prometheus/default.nix @@ -203,6 +203,12 @@ in { }; }; + systemd.services.prometheus = { + serviceConfig = { + SystemCallFilter = mkForce [ "@system-service" "~@privileged" ]; + }; + }; + sops.secrets."prometheus.key" = { format = "binary"; sopsFile = ./tls.key; diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index d4eb1fb0..0a3024d2 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix @@ -8,7 +8,7 @@ let tsigSecretName = domain: "${domain}_tsig-secret"; cfg = config.security.acme; - + domainOptions = { options = { wildcard = mkOption { @@ -34,10 +34,10 @@ in { }; }; }; - + config = { security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email" "bouncy.email"] (domain: { wildcard = true; }); - + fileSystems."/var/lib/acme" = { device = "surtr/safe/var-lib-acme"; fsType = "zfs"; -- cgit v1.2.3