nixos/promtail: fix access to journal

2 files changed, 6 insertions, 0 deletions

diff --git a/nixos/modules/services/logging/promtail.nix b/nixos/modules/services/logging/promtail.nix
index 1d3e9d8e9b9..19b12daa415 100644
--- a/nixos/modules/services/logging/promtail.nix
+++ b/nixos/modules/services/logging/promtail.nix
@@ -6,10 +6,12 @@ let
     echo '${builtins.toJSON conf}' | ${pkgs.buildPackages.jq}/bin/jq 'del(._module)' > $out
   '';
 
+  allowSystemdJournal = cfg.configuration ? scrape_configs && lib.any (v: v ? journal) cfg.configuration.scrape_configs;
 in {
   options.services.promtail = with types; {
     enable = mkEnableOption "the Promtail ingresser";
 
+
     configuration = mkOption {
       type = (pkgs.formats.json {}).type;
       description = ''
@@ -67,6 +69,8 @@ in {
         RestrictRealtime = true;
         MemoryDenyWriteExecute = true;
         PrivateUsers = true;
+
+        SupplementaryGroups = lib.optional (allowSystemdJournal) "systemd-journal";
       } // (optionalAttrs (!pkgs.stdenv.isAarch64) { # FIXME: figure out why this breaks on aarch64
         SystemCallFilter = "@system-service";
       });
diff --git a/nixos/tests/loki.nix b/nixos/tests/loki.nix
index eaee717cf87..bede775b7d3 100644
--- a/nixos/tests/loki.nix
+++ b/nixos/tests/loki.nix
@@ -45,6 +45,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }:
     machine.wait_for_open_port(3100)
     machine.wait_for_open_port(9080)
     machine.succeed("echo 'Loki Ingestion Test' > /var/log/testlog")
+    # should not have access to journal unless specified
+    machine.fail("systemctl show --property=SupplementaryGroups promtail | grep -q systemd-journal")
     machine.wait_until_succeeds(
         "${pkgs.grafana-loki}/bin/logcli --addr='http://localhost:3100' query --no-labels '{job=\"varlogs\",filename=\"/var/log/testlog\"}' | grep -q 'Loki Ingestion Test'"
     )