From 20a5b98a3acd1ebfc1c30f4897662b41e7ec966d Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 1 Jan 2022 17:12:29 +0100
Subject: ...

---
 hosts/vidhar/prometheus/default.nix | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

(limited to 'hosts/vidhar/prometheus')

diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index 76c79689..51ead7e2 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -207,18 +207,19 @@ in {
       path = with pkgs; [ nftables ];
       serviceConfig = {
         Restart = "always";
-        PrivateTmp = true;
-        WorkingDirectory = "/tmp";
-        CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];
-        DynamicUser = true;
-        DeviceAllow = [""];
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
+
+        # PrivateTmp = true;
+        # WorkingDirectory = "/tmp";
+        # CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];
+        # DynamicUser = true;
+        # DeviceAllow = [""];
+        # LockPersonality = true;
+        # MemoryDenyWriteExecute = true;
+        # NoNewPrivileges = true;
+        # PrivateDevices = true;
+        # ProtectClock = true;
+        # ProtectControlGroups = true;
+        # ProtectHome = true;
         ProtectHostname = true;
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
-- 
cgit v1.2.3