nixos/grafana: fix systemd unit

Remove MemoryDenyWriteExecute hardening as it breaks image rendering
plugin. Add CAP_NET_BIND_SERVICE to bind to low ports when needed.
Remove PrivateUsers and ProcSubset as upstream choose to remove it.

Upstream changes: <https://github.com/grafana/grafana/pull/40219>,
<https://github.com/grafana/grafana/pull/40178>,
<https://github.com/grafana/grafana/pull/40339> and
<https://github.com/grafana/grafana/pull/40815>.

1 files changed, 4 insertions, 4 deletions

diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix
index 9b21dc78b19d..5067047e9690 100644
--- a/nixos/modules/services/monitoring/grafana.nix
+++ b/nixos/modules/services/monitoring/grafana.nix
@@ -677,15 +677,13 @@ in {
         RuntimeDirectory = "grafana";
         RuntimeDirectoryMode = "0755";
         # Hardening
-        CapabilityBoundingSet = [ "" ];
+        AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
+        CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
         DeviceAllow = [ "" ];
         LockPersonality = true;
-        MemoryDenyWriteExecute = true;
         NoNewPrivileges = true;
         PrivateDevices = true;
         PrivateTmp = true;
-        PrivateUsers = true;
-        ProcSubset = "pid";
         ProtectClock = true;
         ProtectControlGroups = true;
         ProtectHome = true;
@@ -701,6 +699,8 @@ in {
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
         SystemCallArchitectures = "native";
+        # Upstream grafana is not setting SystemCallFilter for compatibility
+        # reasons, see https://github.com/grafana/grafana/pull/40176
         SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
         UMask = "0027";
       };