From dcb32beda093ce80e80f30b53ec0832d306fe248 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Tue, 8 Nov 2022 17:46:35 +0100 Subject: [PATCH] nixos/prometheus: fix startup w/hardened service See the discussion below the original PR[1] and #197443 for more context. I guess I missed that upon review because the branch was too old and I cherry-picked the commit onto my deployment branch which is based on 22.05. Sorry for that! [1] https://github.com/NixOS/nixpkgs/pull/162784#issuecomment-1306848036 --- nixos/modules/services/monitoring/prometheus/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index 892d8e537ccf..1dc6a65973d7 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -1822,7 +1822,7 @@ in RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; }; }; # prometheus-config-reload will activate after prometheus. However, what we