Unverified Commit dcb32bed authored by Maximilian Bosch's avatar Maximilian Bosch
Browse files

nixos/prometheus: fix startup w/hardened service 

See the discussion below the original PR[1] and #197443 for more
context.

I guess I missed that upon review because the branch was too old and I
cherry-picked the commit onto my deployment branch which is based on
22.05. Sorry for that!

[1] https://github.com/NixOS/nixpkgs/pull/162784#issuecomment-1306848036
parent 6b572437

nixos/modules/services/monitoring/prometheus/default.nix

+1 −1
Original line number Diff line number Diff line
@@ -1822,7 +1822,7 @@ in 
        RestrictRealtime = true;

        RestrictSUIDSGID = true;

        SystemCallArchitectures = "native";

        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];

        SystemCallFilter = [ "@system-service" "~@privileged" ];

      };

    };

    # prometheus-config-reload will activate after prometheus. However, what we