From ac9bdcb42a3396268aebda74b7a69b1a6a4117b5 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 8 Nov 2022 09:32:15 +0100
Subject: ...

---
 hosts/surtr/tls/default.nix         | 5 ++++-
 hosts/vidhar/prometheus/default.nix | 4 +---
 2 files changed, 5 insertions(+), 4 deletions(-)

(limited to 'hosts')

diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index 9b1fd1f3..d4eb1fb0 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -96,7 +96,10 @@ in {
         serviceAttrset = domain: {
           after = [ "knot.service" ];
           bindsTo = [ "knot.service" ];
-          serviceConfig.LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"];
+          serviceConfig = {
+            LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"];
+            SystemCallFilter = mkForce [ "@system-service" "~@privileged" "@chown" ];
+          };
         };
       in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
 
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index de7837dc..a8246e8c 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -400,9 +400,7 @@ in {
 
     systemd.services.prometheus = {
       serviceConfig = {
-        SystemCallFilter = [
-          "@resources"
-        ];
+        SystemCallFilter = mkForce [ "@system-service" "~@privileged" ];
       };
     };
 
-- 
cgit v1.2.3