Merge pull request #135751 from zhaofengli/promtail-allow-positions-file

nixos/promtail: Allow write access to positions file if not in CacheDirectory
author: Maximilian Bosch <maximilian@mbosch.me> 2021-09-12 18:17:25 +0200
committer: GitHub <noreply@github.com> 2021-09-12 18:17:25 +0200
commit: 8b13843f4e08c2d707acb8b558c012f0fb1cb314 (patch)
tree: 9c6df8031676d94b1cf6bab0a6abe9c0a5a2f348 /nixos
parent: 0517de2ceb4afbc2a7e7ea67fa01c1226a91101d (diff)
parent: b6ad701a2c6bf619fa9418a8e27c4940ce921456 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/nixos/modules/services/logging/promtail.nix b/nixos/modules/services/logging/promtail.nix
index 34211687dc1d..95c83796ece6 100644
--- a/nixos/modules/services/logging/promtail.nix
+++ b/nixos/modules/services/logging/promtail.nix
@@ -7,6 +7,9 @@ let
   '';
 
   allowSystemdJournal = cfg.configuration ? scrape_configs && lib.any (v: v ? journal) cfg.configuration.scrape_configs;
+
+  allowPositionsFile = !lib.hasPrefix "/var/cache/promtail" positionsFile;
+  positionsFile = cfg.configuration.positions.filename;
 in {
   options.services.promtail = with types; {
     enable = mkEnableOption "the Promtail ingresser";
@@ -53,6 +56,7 @@ in {
         RestrictSUIDSGID = true;
         PrivateMounts = true;
         CacheDirectory = "promtail";
+        ReadWritePaths = lib.optional allowPositionsFile (builtins.dirOf positionsFile);
 
         User = "promtail";
         Group = "promtail";
author	Maximilian Bosch <maximilian@mbosch.me>	2021-09-12 18:17:25 +0200
committer	GitHub <noreply@github.com>	2021-09-12 18:17:25 +0200
commit	8b13843f4e08c2d707acb8b558c012f0fb1cb314 (patch)
tree	9c6df8031676d94b1cf6bab0a6abe9c0a5a2f348 /nixos
parent	0517de2ceb4afbc2a7e7ea67fa01c1226a91101d (diff)
parent	b6ad701a2c6bf619fa9418a8e27c4940ce921456 (diff)