diff options
| author | D Anzorge <d.anzorge@gmail.com> | 2022-12-13 02:47:50 +0100 |
|---|---|---|
| committer | D Anzorge <d.anzorge@gmail.com> | 2022-12-13 02:47:50 +0100 |
| commit | 9be81d0acfd8a5ac8c6a2222255ea9665f66d511 (patch) | |
| tree | e0fcb5e1cd504ca6db1eada27ca4b104a5cb6583 | |
| parent | c2720cebe7eacb1b637c1906b4ab6e8c09a0ab98 (diff) | |
| download | nixpkgs-9be81d0acfd8a5ac8c6a2222255ea9665f66d511.tar nixpkgs-9be81d0acfd8a5ac8c6a2222255ea9665f66d511.tar.gz nixpkgs-9be81d0acfd8a5ac8c6a2222255ea9665f66d511.tar.bz2 nixpkgs-9be81d0acfd8a5ac8c6a2222255ea9665f66d511.tar.lz nixpkgs-9be81d0acfd8a5ac8c6a2222255ea9665f66d511.tar.xz nixpkgs-9be81d0acfd8a5ac8c6a2222255ea9665f66d511.tar.zst nixpkgs-9be81d0acfd8a5ac8c6a2222255ea9665f66d511.zip | |
nixos/grafana: allow @chown syscalls when using unix sockets
Grafana will unconditionally call chown on the socket after creating it, even if the configuration does not ask for a different socket gid.
| -rw-r--r-- | nixos/modules/services/monitoring/grafana.nix | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 9b3068796d8..5061666f57c 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -1291,7 +1291,10 @@ in { SystemCallArchitectures = "native"; # Upstream grafana is not setting SystemCallFilter for compatibility # reasons, see https://github.com/grafana/grafana/pull/40176 - SystemCallFilter = [ "@system-service" "~@privileged" ]; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ] ++ lib.optional (cfg.settings.server.protocol == "socket") [ "@chown" ]; UMask = "0027"; }; preStart = '' |