3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/nixos/modules/services
Martin Weinelt 12c26aca1f
prometheus.exporters.smartctl: Fix autodiscovery
When no devices are given the exporter tries to autodiscover available
disks. The previous DevicePolicy was however preventing the exporter
from accessing any device at all, since only explicitly mentioned ones
were allowed.

This commit adds an allow rule for several device classes that I could
find on my machines, that gets set when no devices are explicitly
configured.

There is an existing problem with nvme devices, that expose a character
device at `/dev/nvme0`, and a (namespaced) block device at
`/dev/nvme0n1`. The character device does not come with permissions that
we could give to the exporter without further impacting the hardening.

  crw------- 1 root root 247, 0 27. Jan 03:10 /dev/nvme0
  brw-rw---- 1 root disk 259, 0 27. Jan 03:10 /dev/nvme0n1

The autodiscovery only finds the character device, which the exporter
unfortunately does not have access to.

However a simple udev rule can be used to resolve this:

  services.udev.extraRules = ''
    SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", GROUP="disk"
  '';

Unfortunately I'm not fully aware of the security implications this
change carries and we should question upstream (systemd) why they did
not include such a rule.
The disk group has no members on any of my machines.

  ❯ getent group disk
  disk6:
2022-01-27 17:33:27 +01:00
..
admin
amqp
audio Merge pull request #154180 from lovesegfault/roon-server-firewall-fix 2022-01-24 02:36:14 +00:00
backup nixos/borgbackup: remove literalDocBook in description 2022-01-20 20:10:26 +01:00
blockchain/ethereum
cluster nixos/kubernetes: actually set containerd to use systemd cgroups 2022-01-08 17:29:32 +10:00
computing Merge pull request #148785 from pennae/more-option-doc-staticizing 2021-12-17 11:14:08 -05:00
continuous-integration Merge pull request #148785 from pennae/more-option-doc-staticizing 2021-12-17 11:14:08 -05:00
databases nixos/redis: fix port option 2022-01-21 23:02:20 +01:00
desktops Merge pull request #153398 from jtojnar/tracker-subcommands 2022-01-09 16:09:35 +01:00
development nixos/rstudio-server: init 2022-01-17 10:24:38 +11:00
display-managers
editors
finance
games ArchiSteamFarm: 5.2.0.10 -> 5.2.1.5; ASF-ui: update 2022-01-09 20:26:03 -06:00
hardware nixos/modules/services/hardware/triggerhappy.nix: mpc_cli -> mpc-cli 2022-01-24 23:24:06 -03:00
logging nixos/logrotate: rotate login/logout logs by default 2021-12-29 02:07:02 +01:00
mail Merge pull request #152367 from helsinki-systems/fix/dovecot-ssh_dh 2022-01-22 18:07:16 +00:00
matrix
misc Merge pull request #156738 from mweinelt/hass-ping 2022-01-26 00:08:47 +01:00
monitoring prometheus.exporters.smartctl: Fix autodiscovery 2022-01-27 17:33:27 +01:00
network-filesystems nixos/glusterfs: remove syslog.target from services 2021-12-11 22:43:02 +01:00
networking Merge pull request #156787 from helsinki-systems/drop/racoon 2022-01-26 23:30:20 +01:00
printing
scheduling
search nixos/elasticsearch: fix postStart to allow non-localhost listenAddress 2021-12-30 19:03:35 +01:00
security nixos/tor: fix tor getting killed by systemd when shuttding down 2022-01-25 15:02:18 +01:00
system Update nixos/modules/services/system/cachix-agent/default.nix 2022-01-18 16:49:18 +01:00
torrent Merge pull request #148785 from pennae/more-option-doc-staticizing 2021-12-17 11:14:08 -05:00
ttys
video Merge pull request #148785 from pennae/more-option-doc-staticizing 2021-12-17 11:14:08 -05:00
wayland nixos/cage: log to journal 2021-12-16 23:55:15 +00:00
web-apps Merge pull request #155847 from onny/dokuwikicleanup 2022-01-24 13:42:57 +01:00
web-servers nixos/nginx: Add defaultListenAddresses option 2022-01-24 02:20:30 +01:00
x11 fix MTP support on KDE Plasma and Dolphin (#155405) 2022-01-27 11:29:32 +08:00