diff options
| author | Pierre Bourdon <delroth@gmail.com> | 2022-09-06 02:10:47 +0200 |
|---|---|---|
| committer | Pierre Bourdon <delroth@gmail.com> | 2022-09-06 02:10:47 +0200 |
| commit | bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35 (patch) | |
| tree | 0b8c3558c1db51127e7f33b756ce30729d72a861 /nixos/modules/services/monitoring/grafana.nix | |
| parent | 76daf3b9daa76829294c213d2f66ff266da79555 (diff) | |
| download | nixpkgs-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.tar nixpkgs-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.tar.gz nixpkgs-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.tar.bz2 nixpkgs-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.tar.lz nixpkgs-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.tar.xz nixpkgs-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.tar.zst nixpkgs-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.zip | |
nixos/grafana: loosen systemd syscall sandboxing
Allow @resources syscalls in the grafana.service unit. While Grafana itself does not need them, some plugins (incl. first party) crash if they fail to setrlimit. This was first seen with the official grafana Clickhouse datasource plugin. The @resources syscalls set is fairly harmess anyway.
Diffstat (limited to 'nixos/modules/services/monitoring/grafana.nix')
| -rw-r--r-- | nixos/modules/services/monitoring/grafana.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index d72aaf0464e..dd99fa3ddcc 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -792,7 +792,7 @@ in { SystemCallArchitectures = "native"; # Upstream grafana is not setting SystemCallFilter for compatibility # reasons, see https://github.com/grafana/grafana/pull/40176 - SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; UMask = "0027"; }; preStart = '' |