nixos/prometheus: fix node exporter timex collector

The timex collector (enabled by default) needs the
adjtimex syscall, which was disabled by
9fea6d4c85.

So allow it unless the timex collector is disabled.
This commit is contained in:
Matthias Treydte 2021-10-13 15:37:02 +02:00 committed by Profpatsch
parent ae7ce180dd
commit 72fbd63c5c
2 changed files with 3 additions and 1 deletions

View File

@ -192,7 +192,7 @@ let
serviceConfig.MemoryDenyWriteExecute = true;
serviceConfig.NoNewPrivileges = true;
serviceConfig.PrivateDevices = true;
serviceConfig.ProtectClock = true;
serviceConfig.ProtectClock = mkDefault true;
serviceConfig.ProtectControlGroups = true;
serviceConfig.ProtectHome = true;
serviceConfig.ProtectHostname = true;

View File

@ -37,6 +37,8 @@ in
'';
# The systemd collector needs AF_UNIX
RestrictAddressFamilies = lib.optional (lib.any (x: x == "systemd") cfg.enabledCollectors) "AF_UNIX";
# The timex collector needs to access clock APIs
ProtectClock = lib.any (x: x == "timex") cfg.disabledCollectors;
};
};
}