diff --git a/nixos/modules/services/logging/promtail.nix b/nixos/modules/services/logging/promtail.nix index 1d3e9d8e9b99..19b12daa4152 100644 --- a/nixos/modules/services/logging/promtail.nix +++ b/nixos/modules/services/logging/promtail.nix @@ -6,10 +6,12 @@ let echo '${builtins.toJSON conf}' | ${pkgs.buildPackages.jq}/bin/jq 'del(._module)' > $out ''; + allowSystemdJournal = cfg.configuration ? scrape_configs && lib.any (v: v ? journal) cfg.configuration.scrape_configs; in { options.services.promtail = with types; { enable = mkEnableOption "the Promtail ingresser"; + configuration = mkOption { type = (pkgs.formats.json {}).type; description = '' @@ -67,6 +69,8 @@ in { RestrictRealtime = true; MemoryDenyWriteExecute = true; PrivateUsers = true; + + SupplementaryGroups = lib.optional (allowSystemdJournal) "systemd-journal"; } // (optionalAttrs (!pkgs.stdenv.isAarch64) { # FIXME: figure out why this breaks on aarch64 SystemCallFilter = "@system-service"; }); diff --git a/nixos/tests/loki.nix b/nixos/tests/loki.nix index eaee717cf87d..bede775b7d3c 100644 --- a/nixos/tests/loki.nix +++ b/nixos/tests/loki.nix @@ -45,6 +45,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: machine.wait_for_open_port(3100) machine.wait_for_open_port(9080) machine.succeed("echo 'Loki Ingestion Test' > /var/log/testlog") + # should not have access to journal unless specified + machine.fail("systemctl show --property=SupplementaryGroups promtail | grep -q systemd-journal") machine.wait_until_succeeds( "${pkgs.grafana-loki}/bin/logcli --addr='http://localhost:3100' query --no-labels '{job=\"varlogs\",filename=\"/var/log/testlog\"}' | grep -q 'Loki Ingestion Test'" )