diff options
| author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2023-11-08 18:01:00 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-08 18:01:00 +0000 |
| commit | 536833ef29720974616732e7de73991d3056ca3a (patch) | |
| tree | 058d24abfda60c0aa9e54654951a3309682efd85 /nixos | |
| parent | 07b331e8339250bc59916416820dea282f897364 (diff) | |
| parent | 64b6e49275f6388284379624eff747b369469355 (diff) | |
| download | nixpkgs-536833ef29720974616732e7de73991d3056ca3a.tar nixpkgs-536833ef29720974616732e7de73991d3056ca3a.tar.gz nixpkgs-536833ef29720974616732e7de73991d3056ca3a.tar.bz2 nixpkgs-536833ef29720974616732e7de73991d3056ca3a.tar.lz nixpkgs-536833ef29720974616732e7de73991d3056ca3a.tar.xz nixpkgs-536833ef29720974616732e7de73991d3056ca3a.tar.zst nixpkgs-536833ef29720974616732e7de73991d3056ca3a.zip | |
Merge master into staging-next
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/audio/wyoming/faster-whisper.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/services/monitoring/netdata.nix | 12 |
2 files changed, 13 insertions, 2 deletions
diff --git a/nixos/modules/services/audio/wyoming/faster-whisper.nix b/nixos/modules/services/audio/wyoming/faster-whisper.nix index f156e8314a9..2d56acdc1b4 100644 --- a/nixos/modules/services/audio/wyoming/faster-whisper.nix +++ b/nixos/modules/services/audio/wyoming/faster-whisper.nix @@ -146,6 +146,8 @@ in CapabilityBoundingSet = ""; DeviceAllow = if builtins.elem options.device [ "cuda" "auto" ] then [ # https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf + # CUDA not working? Check DeviceAllow and PrivateDevices first! + "/dev/nvidia0" "/dev/nvidia1" "/dev/nvidia2" "/dev/nvidia3" @@ -160,7 +162,6 @@ in DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; - PrivateDevices = true; PrivateUsers = true; ProtectHome = true; ProtectHostname = true; diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index 3833418b5ad..de0e044453e 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -12,6 +12,7 @@ let ln -s /run/wrappers/bin/perf.plugin $out/libexec/netdata/plugins.d/perf.plugin ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin + ln -s /run/wrappers/bin/systemd-journal.plugin $out/libexec/netdata/plugins.d/systemd-journal.plugin ''; plugins = [ @@ -254,7 +255,7 @@ in { # Capabilities CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" # is required for freeipmi and slabinfo plugins - "CAP_DAC_READ_SEARCH" # is required for apps plugin + "CAP_DAC_READ_SEARCH" # is required for apps and systemd-journal plugin "CAP_FOWNER" # is required for freeipmi plugin "CAP_SETPCAP" # is required for apps, perf and slabinfo plugins "CAP_SYS_ADMIN" # is required for perf plugin @@ -263,6 +264,7 @@ in { "CAP_NET_RAW" # is required for fping app "CAP_SYS_CHROOT" # is required for cgroups plugin "CAP_SETUID" # is required for cgroups and cgroups-network plugins + "CAP_SYSLOG" # is required for systemd-journal plugin ]; # Sandboxing ProtectSystem = "full"; @@ -318,6 +320,14 @@ in { permissions = "u+rx,g+x,o-rwx"; }; + "systemd-journal.plugin" = { + source = "${cfg.package}/libexec/netdata/plugins.d/systemd-journal.plugin.org"; + capabilities = "cap_dac_read_search,cap_syslog+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+x,o-rwx"; + }; + "slabinfo.plugin" = { source = "${cfg.package}/libexec/netdata/plugins.d/slabinfo.plugin.org"; capabilities = "cap_dac_override+ep"; |