nixos/prometheus-rtl_433-exporter: fix systemd hardening

9fea6d4c8551b7c8783f23e011a2ba113c95d0dd broke rtl_433-exporter by
introducing several hardening options which do not play well with
rtl_433 requiring writing to USB. More precisely, rtl_433 requires
(a) AF_NETLINK to configure the radio; (b) access to the USB device,
but PrivateDevices=true hides them; (c) rw access to the USB device,
but DeviceAllow= block-lists everything.

This commit was tested on real hardware with a standard NixOS setup.

1 files changed, 5 insertions, 0 deletions

diff --git a/nixos/modules/services/monitoring/prometheus/exporters/rtl_433.nix b/nixos/modules/services/monitoring/prometheus/exporters/rtl_433.nix
index 01e420db3897..ef829a1b7d02 100644
--- a/nixos/modules/services/monitoring/prometheus/exporters/rtl_433.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/rtl_433.nix
@@ -61,6 +61,11 @@ in
     serviceConfig = {
       # rtl-sdr udev rules make supported USB devices +rw by plugdev.
       SupplementaryGroups = "plugdev";
+      # rtl_433 needs rw access to the USB radio.
+      PrivateDevices = lib.mkForce false;
+      DeviceAllow = lib.mkForce "char-usb_device rw";
+      RestrictAddressFamilies = [ "AF_NETLINK" ];
+
       ExecStart = let
         matchers = (map (m:
           "--channel_matcher '${m.name},${toString m.channel},${m.location}'"