diff options
| author | Alexandre Iooss <erdnaxe@crans.org> | 2021-08-08 16:48:49 +0200 |
|---|---|---|
| committer | Alexandre Iooss <erdnaxe@crans.org> | 2021-10-07 10:19:55 +0200 |
| commit | 9fea6d4c8551b7c8783f23e011a2ba113c95d0dd (patch) | |
| tree | 72ab5177823179feee672b615385f6cf72488beb /nixos/modules/services/monitoring/prometheus/exporters | |
| parent | 9544c029c082a7e545ec75c101f0202f18eb3874 (diff) | |
| download | nixpkgs-9fea6d4c8551b7c8783f23e011a2ba113c95d0dd.tar nixpkgs-9fea6d4c8551b7c8783f23e011a2ba113c95d0dd.tar.gz nixpkgs-9fea6d4c8551b7c8783f23e011a2ba113c95d0dd.tar.bz2 nixpkgs-9fea6d4c8551b7c8783f23e011a2ba113c95d0dd.tar.lz nixpkgs-9fea6d4c8551b7c8783f23e011a2ba113c95d0dd.tar.xz nixpkgs-9fea6d4c8551b7c8783f23e011a2ba113c95d0dd.tar.zst nixpkgs-9fea6d4c8551b7c8783f23e011a2ba113c95d0dd.zip | |
nixos/prometheus: systemd unit hardening of exporters
Diffstat (limited to 'nixos/modules/services/monitoring/prometheus/exporters')
11 files changed, 42 insertions, 0 deletions
diff --git a/nixos/modules/services/monitoring/prometheus/exporters/bird.nix b/nixos/modules/services/monitoring/prometheus/exporters/bird.nix index d8a526eafce..1ef264fc86e 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/bird.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/bird.nix @@ -41,6 +41,10 @@ in -format.new=${if cfg.newMetricFormat then "true" else "false"} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix index 472652fe8a7..092ac6fea7d 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix @@ -83,6 +83,10 @@ in --dovecot.scopes ${concatStringsSep "," cfg.scopes} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix index 0571325c5d9..27aeb909624 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @@ -34,6 +34,10 @@ in { ${concatStringsSep " \\n" cfg.controlSocketPaths} ''; SupplementaryGroups = [ "kea" ]; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/knot.nix b/nixos/modules/services/monitoring/prometheus/exporters/knot.nix index 2acaac293b6..29e543f1013 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/knot.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/knot.nix @@ -45,6 +45,10 @@ in { ${concatStringsSep " \\\n " cfg.extraFlags} ''; SupplementaryGroups = [ "knot" ]; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/modemmanager.nix b/nixos/modules/services/monitoring/prometheus/exporters/modemmanager.nix index 86ea98b94e4..afd03f6c270 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/modemmanager.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/modemmanager.nix @@ -28,6 +28,10 @@ in -rate ${cfg.refreshRate} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix b/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix index dd3bec8ec16..3f9a32ef399 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix @@ -79,6 +79,10 @@ in --web.telemetry-path ${cfg.telemetryPath} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/smokeping.nix b/nixos/modules/services/monitoring/prometheus/exporters/smokeping.nix index 0a7bb9c27be..0181c341a7e 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/smokeping.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/smokeping.nix @@ -45,6 +45,7 @@ in serviceOpts = { serviceConfig = { AmbientCapabilities = [ "CAP_NET_RAW" ]; + CapabilityBoundingSet = [ "CAP_NET_RAW" ]; ExecStart = '' ${pkgs.prometheus-smokeping-prober}/bin/smokeping_prober \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/sql.nix b/nixos/modules/services/monitoring/prometheus/exporters/sql.nix index d9be724ebc0..3496fd9541f 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/sql.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/sql.nix @@ -99,6 +99,10 @@ in -config.file ${configFile} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/systemd.nix b/nixos/modules/services/monitoring/prometheus/exporters/systemd.nix index 0514469b8a6..c0a50f07d71 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/systemd.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/systemd.nix @@ -13,6 +13,10 @@ in { ${pkgs.prometheus-systemd-exporter}/bin/systemd_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix b/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix index 56a559531c1..cf0efddd340 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix @@ -49,6 +49,10 @@ in ${optionalString (cfg.controlInterface != null) "--control-interface ${cfg.controlInterface}"} \ ${toString cfg.extraFlags} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }] ++ [ (mkIf config.services.unbound.enable { diff --git a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix index 04421fc2d25..d4aa69629ec 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix @@ -52,6 +52,7 @@ in { serviceConfig = { AmbientCapabilities = [ "CAP_NET_ADMIN" ]; + CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; ExecStart = '' ${pkgs.prometheus-wireguard-exporter}/bin/prometheus_wireguard_exporter \ -p ${toString cfg.port} \ @@ -61,6 +62,10 @@ in { ${optionalString cfg.withRemoteIp "-r"} \ ${optionalString (cfg.wireguardConfig != null) "-n ${escapeShellArg cfg.wireguardConfig}"} ''; + RestrictAddressFamilies = [ + # Need AF_NETLINK to collect data + "AF_NETLINK" + ]; }; }; } |