commit 5adcd46bc03cf52957129312902c478c109c101c

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #142109 from mweinelt/prometheus-node-exporter

nixos/prometheus: add hardening exceptions to node-exporter

authored by

Martin Weinelt and committed by

GitHub 4 years ago 5adcd46b e3bcebf0

+8 -3

1 changed file

expand all

unified split

nixos

modules

services

monitoring

prometheus

exporters

node.nix

+8 -3

nixos/modules/services/monitoring/prometheus/exporters/node.nix

··· 35 ${concatMapStringsSep " " (x: "--no-collector." + x) cfg.disabledCollectors} \ 36 --web.listen-address ${cfg.listenAddress}:${toString cfg.port} ${concatStringsSep " " cfg.extraFlags} 37 ''; 38 - # The systemd collector needs AF_UNIX 39 - RestrictAddressFamilies = lib.optional (lib.any (x: x == "systemd") cfg.enabledCollectors) "AF_UNIX"; 40 # The timex collector needs to access clock APIs 41 - ProtectClock = lib.any (x: x == "timex") cfg.disabledCollectors; 42 }; 43 }; 44 }

··· 35 ${concatMapStringsSep " " (x: "--no-collector." + x) cfg.disabledCollectors} \ 36 --web.listen-address ${cfg.listenAddress}:${toString cfg.port} ${concatStringsSep " " cfg.extraFlags} 37 ''; 38 + RestrictAddressFamilies = optionals (any (collector: (collector == "logind" || collector == "systemd")) cfg.enabledCollectors) [ 39 + # needs access to dbus via unix sockets (logind/systemd) 40 + "AF_UNIX" 41 + ] ++ optionals (any (collector: (collector == "network_route" || collector == "wifi")) cfg.enabledCollectors) [ 42 + # needs netlink sockets for wireless collector 43 + "AF_NETLINK" 44 + ]; 45 # The timex collector needs to access clock APIs 46 + ProtectClock = any (collector: collector == "timex") cfg.disabledCollectors; 47 }; 48 }; 49 }