diff options
author | John Ericson <John.Ericson@Obsidian.Systems> | 2021-05-06 15:48:25 -0400 |
---|---|---|
committer | John Ericson <John.Ericson@Obsidian.Systems> | 2021-05-06 15:48:25 -0400 |
commit | a3e54cb5823b4f338ce46acccb142bae7de585c2 (patch) | |
tree | 223806f291391df55301db8843a4a9bfe9f68349 /nixos | |
parent | c63e69cd894faada0daaef386fcc6273a957c66e (diff) | |
parent | 5f7ad00ae9e1ee00573798e7f9ddfdd28456b075 (diff) | |
download | nixpkgs-a3e54cb5823b4f338ce46acccb142bae7de585c2.tar nixpkgs-a3e54cb5823b4f338ce46acccb142bae7de585c2.tar.gz nixpkgs-a3e54cb5823b4f338ce46acccb142bae7de585c2.tar.bz2 nixpkgs-a3e54cb5823b4f338ce46acccb142bae7de585c2.tar.lz nixpkgs-a3e54cb5823b4f338ce46acccb142bae7de585c2.tar.xz nixpkgs-a3e54cb5823b4f338ce46acccb142bae7de585c2.tar.zst nixpkgs-a3e54cb5823b4f338ce46acccb142bae7de585c2.zip |
Merge remote-tracking branch 'upstream/staging-next' into staging
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/misc/home-assistant.nix | 5 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/netdata.nix | 10 |
2 files changed, 11 insertions, 4 deletions
diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index 1985f130881..1e33381de24 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -298,7 +298,7 @@ in { ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; - ProcSubset = "pid"; + ProcSubset = "all"; ProtectSystem = "strict"; RemoveIPC = true; ReadWritePaths = let @@ -308,9 +308,10 @@ in { allowPaths = if isList value then value else singleton value; in [ "${cfg.configDir}" ] ++ allowPaths; RestrictAddressFamilies = [ - "AF_UNIX" "AF_INET" "AF_INET6" + "AF_NETLINK" + "AF_UNIX" ] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ "AF_BLUETOOTH" ]; diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index 007024c04ce..c2ee1c0df7f 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -149,8 +149,9 @@ in { description = "Real time performance monitoring"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = (with pkgs; [ curl gawk which ]) ++ lib.optional cfg.python.enable - (pkgs.python3.withPackages cfg.python.extraPackages); + path = (with pkgs; [ curl gawk iproute2 which ]) + ++ lib.optional cfg.python.enable (pkgs.python3.withPackages cfg.python.extraPackages) + ++ lib.optional config.virtualisation.libvirtd.enable (config.virtualisation.libvirtd.package); environment = { PYTHONPATH = "${cfg.package}/libexec/netdata/python.d/python_modules"; } // lib.optionalAttrs (!cfg.enableAnalyticsReporting) { @@ -182,6 +183,9 @@ in { ConfigurationDirectory = "netdata"; ConfigurationDirectoryMode = "0755"; # Capabilities + AmbientCapabilities = [ + "CAP_SETUID" # is required for cgroups and cgroups-network plugins + ]; CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" # is required for freeipmi and slabinfo plugins "CAP_DAC_READ_SEARCH" # is required for apps plugin @@ -191,6 +195,8 @@ in { "CAP_SYS_PTRACE" # is required for apps plugin "CAP_SYS_RESOURCE" # is required for ebpf plugin "CAP_NET_RAW" # is required for fping app + "CAP_SYS_CHROOT" # is required for cgroups plugin + "CAP_SETUID" # is required for cgroups and cgroups-network plugins ]; # Sandboxing ProtectSystem = "full"; |