From 31a0b5dff6d9baa8c7aee4f77c379ed8fd3d1e19 Mon Sep 17 00:00:00 2001
From: Jörg Thalheim <joerg@thalheim.io>
Date: Tue, 10 Nov 2020 10:36:53 +0100
Subject: nixos/promtail: fix access to journal

---
 nixos/modules/services/logging/promtail.nix | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'nixos/modules/services/logging')

diff --git a/nixos/modules/services/logging/promtail.nix b/nixos/modules/services/logging/promtail.nix
index 1d3e9d8e9b9..19b12daa415 100644
--- a/nixos/modules/services/logging/promtail.nix
+++ b/nixos/modules/services/logging/promtail.nix
@@ -6,10 +6,12 @@ let
     echo '${builtins.toJSON conf}' | ${pkgs.buildPackages.jq}/bin/jq 'del(._module)' > $out
   '';
 
+  allowSystemdJournal = cfg.configuration ? scrape_configs && lib.any (v: v ? journal) cfg.configuration.scrape_configs;
 in {
   options.services.promtail = with types; {
     enable = mkEnableOption "the Promtail ingresser";
 
+
     configuration = mkOption {
       type = (pkgs.formats.json {}).type;
       description = ''
@@ -67,6 +69,8 @@ in {
         RestrictRealtime = true;
         MemoryDenyWriteExecute = true;
         PrivateUsers = true;
+
+        SupplementaryGroups = lib.optional (allowSystemdJournal) "systemd-journal";
       } // (optionalAttrs (!pkgs.stdenv.isAarch64) { # FIXME: figure out why this breaks on aarch64
         SystemCallFilter = "@system-service";
       });
-- 
cgit 1.4.1