pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #200222 from Ma27/prometheus-hardening-regression

nixos/prometheus: fix startup w/hardened service

Pascal Bach ea2a9ac9 3aa5166a

options
unified split
Changed files
+1 -1
nixos
modules
services
monitoring
prometheus
default.nix
+1 -1
nixos/modules/services/monitoring/prometheus/default.nix 
···

       
1822

       
 

       
        RestrictRealtime = true;


     

       
1823

       
 

       
        RestrictSUIDSGID = true;


     

       
1824

       
 

       
        SystemCallArchitectures = "native";


     

       
1825

       
-

       
        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];


     

       
1826

       
 

       
      };


     

       
1827

       
 

       
    };


     

       
1828

       
 

       
    # prometheus-config-reload will activate after prometheus. However, what we


     
···

       
1822

       
 

       
        RestrictRealtime = true;


     

       
1823

       
 

       
        RestrictSUIDSGID = true;


     

       
1824

       
 

       
        SystemCallArchitectures = "native";


     

       
1825

       
+

       
        SystemCallFilter = [ "@system-service" "~@privileged" ];


     

       
1826

       
 

       
      };


     

       
1827

       
 

       
    };


     

       
1828

       
 

       
    # prometheus-config-reload will activate after prometheus. However, what we