| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When no devices are given the exporter tries to autodiscover available
disks. The previous DevicePolicy was however preventing the exporter
from accessing any device at all, since only explicitly mentioned ones
were allowed.
This commit adds an allow rule for several device classes that I could
find on my machines, that gets set when no devices are explicitly
configured.
There is an existing problem with nvme devices, that expose a character
device at `/dev/nvme0`, and a (namespaced) block device at
`/dev/nvme0n1`. The character device does not come with permissions that
we could give to the exporter without further impacting the hardening.
crw------- 1 root root 247, 0 27. Jan 03:10 /dev/nvme0
brw-rw---- 1 root disk 259, 0 27. Jan 03:10 /dev/nvme0n1
The autodiscovery only finds the character device, which the exporter
unfortunately does not have access to.
However a simple udev rule can be used to resolve this:
services.udev.extraRules = ''
SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", GROUP="disk"
'';
Unfortunately I'm not fully aware of the security implications this
change carries and we should question upstream (systemd) why they did
not include such a rule.
The disk group has no members on any of my machines.
❯ getent group disk
disk:x:6:
|
|
|
|
|
| |
This allows the exporter to perform SCSI commands and interact with hpsa
and cciss devices.
|
| |
|
|
|
|
|
|
|
|
| |
This option makes the complete netdata configuration directory available for
modification. The default configuration is merged with changes
defined in the configDir option.
Co-authored-by: Michael Raitza <spacefrogg-github@meterriblecrew.net>
|
| |
|
| |
|
|\
| |
| | |
nixos/prometheus-nginx-exporter: fix argument syntax
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Arguments were being ignored because the program expects an equals sign
to separate the argument name from the value.
Documented in https://github.com/nginxinc/nginx-prometheus-exporter/issues/153
Fixes #107541
|
| | |
|
| | |
|
| | |
|
|\ \
| |/
|/| |
treewide: more defaultText for options
|
| |
| |
| |
| |
| | |
these are mostly options that use alias bindings, bindings to constants,
or bindings to calculated values.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
some options have default that are best described in prose, such as
defaults that depend on the system stateVersion, defaults that are
derivations specific to the surrounding context, or those where the
expression is much longer and harder to understand than a simple text
snippet.
|
| |
| |
| |
| |
| | |
adds defaultText for options with defaults that use only literals, full config.*
paths, and the cfg shortcut binding.
|
| |
| |
| |
| |
| |
| | |
adds defaultText for all options that use `cfg.*` values in their
defaults, but only for interpolations with no extra processing (other
than toString where necessary)
|
| |
| |
| |
| |
| | |
adds defaultText for all options that set their default to a path expression
using the ubiquitous `cfg` shortcut bindings.
|
|\ \
| | |
| | | |
nixos/*: add trivial defaultText to options where applicable
|
| |/ |
|
|\ \
| | |
| | | |
nixos/collectd: add missing group
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
While upgrading my NixOS system I was greeted by this error:
error:
Failed assertions:
- users.users.collectd.group is unset. This used to default to
nogroup, but this is unsafe. For example you can create a group
for this user with:
users.users.collectd.group = "collectd";
users.groups.collectd = {};
Let's fix it.
|
|\ \ |
|
| |/ |
|
|/
|
|
|
|
|
|
| |
Otherwise, `postfix_up{path="/var/lib/postfix/queue/public/showq"}` will
always be `0` indicating an postfix outage because this is a unix domain
socket that cannot be connected to:
2021/12/03 14:50:46 Failed to scrape showq socket: dial unix /var/lib/postfix/queue/public/showq: socket: address family not supported by protocol
|
| |
|
|\ |
|
| |
| |
| |
| | |
fixes https://github.com/NixOS/nixpkgs/issues/105139
|
|\ \
| |/
|/| |
nixos/zabbixServer: explicitely set security.wrappers ownership
|
| | |
|
|\ \ |
|
| |/ |
|
| |
| |
| |
| | |
services.prometheus.environmentFile is defined
|
|/
|
|
| |
The option `services.prometheus.environmentFile` has been removed since it was causing [issues](https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files.
|
| |
|
| |
|
| |
|
|\
| |
| | |
nixos/prometheus: optionally support reloading on config changes
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The new option `services.prometheus.enableReload` has been introduced
which, when enabled, causes the prometheus systemd service to reload
when its config file changes.
More specifically the following property holds: switching to a
configuration (`switch-to-configuration`) that changes the prometheus
configuration only finishes successully when prometheus has finished
loading the new configuration.
`enableReload` is `false` by default in which case the old semantics
of restarting the prometheus systemd service are in effect.
|
|\ \
| |/
|/| |
nixos/unifi-poller: add support of Loki
|
| |
| |
| |
| |
| |
| |
| |
| | |
Since the v2.0.2 unifi-poller supports Loki [0][1], this contribution
adds the options so it can be used.
[0] https://github.com/unpoller/unpoller/releases/tag/v2.0.2-beta1
[1] https://unpoller.com/docs/dependencies/loki/
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove MemoryDenyWriteExecute hardening as it breaks image rendering
plugin. Add CAP_NET_BIND_SERVICE to bind to low ports when needed.
Remove PrivateUsers and ProcSubset as upstream choose to remove it.
Upstream changes: <https://github.com/grafana/grafana/pull/40219>,
<https://github.com/grafana/grafana/pull/40178>,
<https://github.com/grafana/grafana/pull/40339> and
<https://github.com/grafana/grafana/pull/40815>.
|
| |
| |
| |
| |
| | |
Conditionally grants access for the logind, wifi and network_route
collectors.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
9fea6d4c8551b7c8783f23e011a2ba113c95d0dd broke rtl_433-exporter by
introducing several hardening options which do not play well with
rtl_433 requiring writing to USB. More precisely, rtl_433 requires
(a) AF_NETLINK to configure the radio; (b) access to the USB device,
but PrivateDevices=true hides them; (c) rw access to the USB device,
but DeviceAllow= block-lists everything.
This commit was tested on real hardware with a standard NixOS setup.
|
| |
| |
| |
| |
| |
| |
| |
| | |
The timex collector (enabled by default) needs the
adjtimex syscall, which was disabled by
9fea6d4c8551b7c8783f23e011a2ba113c95d0dd.
So allow it unless the timex collector is disabled.
|
| |
| |
| |
| |
| |
| |
| |
| | |
The systemd collector needs AF_UNIX to talk to
/var/run/dbus/system_bus_socket, which was broken
with 9fea6d4c8551b7c8783f23e011a2ba113c95d0dd.
This commit allows AF_UNIX when needed.
|
|\ \
| | |
| | |
| | |
| | | |
jraygauthier/jrg/96633_fix-teamviewer-client-server-issue
teamviewer: fix #96633, #44307 and #97148 + 15.15.5 -> 15.18.5 -> 15.22.3
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Move to a forefront launch of the daemon. Doing so allowed us
to move the service from forking to simple to avoid the
missing pid error log.
Also:
- Make the dbus dependency explicit.
|
| | |
| | |
| | |
| | |
| | | |
Add teamviewer package as a dbus package now that the
client / server communication depends on dbus.
|