nixos/prometheus: fix node exporter timex collector

The timex collector (enabled by default) needs the
adjtimex syscall, which was disabled by
9fea6d4c8551b7c8783f23e011a2ba113c95d0dd.

So allow it unless the timex collector is disabled.

2 files changed, 3 insertions, 1 deletions

diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix
index b40d6b3ca004..62e90232e114 100644
--- a/nixos/modules/services/monitoring/prometheus/exporters.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters.nix
@@ -192,7 +192,7 @@ let
         serviceConfig.MemoryDenyWriteExecute = true;
         serviceConfig.NoNewPrivileges = true;
         serviceConfig.PrivateDevices = true;
-        serviceConfig.ProtectClock = true;
+        serviceConfig.ProtectClock = mkDefault true;
         serviceConfig.ProtectControlGroups = true;
         serviceConfig.ProtectHome = true;
         serviceConfig.ProtectHostname = true;
diff --git a/nixos/modules/services/monitoring/prometheus/exporters/node.nix b/nixos/modules/services/monitoring/prometheus/exporters/node.nix
index bc89799006eb..baac21b050f5 100644
--- a/nixos/modules/services/monitoring/prometheus/exporters/node.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/node.nix
@@ -37,6 +37,8 @@ in
       '';
       # The systemd collector needs AF_UNIX
       RestrictAddressFamilies = lib.optional (lib.any (x: x == "systemd") cfg.enabledCollectors) "AF_UNIX";
+      # The timex collector needs to access clock APIs
+      ProtectClock = lib.any (x: x == "timex") cfg.disabledCollectors;
     };
   };
 }