From 66852648fba1d64fee1a357ae774e905a778a08e Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 1 Jan 2022 17:10:42 +0100
Subject: ...

---
 hosts/vidhar/prometheus/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'hosts')

diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index da34e7ba..76c79689 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -209,7 +209,8 @@ in {
         Restart = "always";
         PrivateTmp = true;
         WorkingDirectory = "/tmp";
-        CapabilityBoundingSet = [""];
+        CapabilityBoundingSet = ["CAP_SET_PCAP" "CAP_SETUID" "CAP_SETGID"];
+        DynamicUser = true;
         DeviceAllow = [""];
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
@@ -224,13 +225,12 @@ in {
         ProtectKernelTunables = true;
         ProtectSystem = "strict";
         RemoveIPC = true;
-        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
         SystemCallArchitectures = "native";
         UMask = "0077";
-        AmbientCapabilities = [ "CAP_NET_RAW" "CAP_NET_ADMIN" ];
+        AmbientCapabilities = [ "CAP_NET_ADMIN" ];
 
         Type = "simple";
         ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter";
-- 
cgit v1.2.3