pyrox.dev
Merge pull request #141187 from erdnaxe/grafana_fix
nixos/grafana: fix systemd unit
authored by
Maximilian Bosch
and committed by
GitHub
4a2cb373
27d39f7f
+4
-4
nixos/modules/services/monitoring/grafana.nix
+4
-4
nixos/modules/services/monitoring/grafana.nix
···
677
677
RuntimeDirectory = "grafana";
678
678
RuntimeDirectoryMode = "0755";
679
679
# Hardening
680
-
CapabilityBoundingSet = [ "" ];
680
+
AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
681
+
CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
681
682
DeviceAllow = [ "" ];
682
683
LockPersonality = true;
683
-
MemoryDenyWriteExecute = true;
684
684
NoNewPrivileges = true;
685
685
PrivateDevices = true;
686
686
PrivateTmp = true;
687
-
PrivateUsers = true;
688
-
ProcSubset = "pid";
689
687
ProtectClock = true;
690
688
ProtectControlGroups = true;
691
689
ProtectHome = true;
···
701
699
RestrictRealtime = true;
702
700
RestrictSUIDSGID = true;
703
701
SystemCallArchitectures = "native";
702
+
# Upstream grafana is not setting SystemCallFilter for compatibility
703
+
# reasons, see https://github.com/grafana/grafana/pull/40176
704
704
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
705
705
UMask = "0027";
706
706
};