diff options
| author | Zhaofeng Li <hello@zhaofeng.li> | 2021-08-25 22:17:17 -0700 |
|---|---|---|
| committer | Zhaofeng Li <hello@zhaofeng.li> | 2021-08-25 22:54:39 -0700 |
| commit | b6ad701a2c6bf619fa9418a8e27c4940ce921456 (patch) | |
| tree | 38d75b2bf686c4064d9fe09c526ca3b5849d1112 /nixos | |
| parent | ce38fecabe49a76fcd08d03e7562b44b97109aa7 (diff) | |
nixos/promtail: Allow write access to positions file if not in CacheDirectory
Because of `ProtectSystem=strict`, Promtail cannot write to the positions
file if it's not in its `CacheDirectory` (the default value).
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/logging/promtail.nix | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/nixos/modules/services/logging/promtail.nix b/nixos/modules/services/logging/promtail.nix index 34211687dc1d..95c83796ece6 100644 --- a/nixos/modules/services/logging/promtail.nix +++ b/nixos/modules/services/logging/promtail.nix @@ -7,6 +7,9 @@ let ''; allowSystemdJournal = cfg.configuration ? scrape_configs && lib.any (v: v ? journal) cfg.configuration.scrape_configs; + + allowPositionsFile = !lib.hasPrefix "/var/cache/promtail" positionsFile; + positionsFile = cfg.configuration.positions.filename; in { options.services.promtail = with types; { enable = mkEnableOption "the Promtail ingresser"; @@ -53,6 +56,7 @@ in { RestrictSUIDSGID = true; PrivateMounts = true; CacheDirectory = "promtail"; + ReadWritePaths = lib.optional allowPositionsFile (builtins.dirOf positionsFile); User = "promtail"; Group = "promtail"; |