From b6ad701a2c6bf619fa9418a8e27c4940ce921456 Mon Sep 17 00:00:00 2001 From: Zhaofeng Li Date: Wed, 25 Aug 2021 22:17:17 -0700 Subject: [PATCH] nixos/promtail: Allow write access to positions file if not in CacheDirectory Because of `ProtectSystem=strict`, Promtail cannot write to the positions file if it's not in its `CacheDirectory` (the default value). --- nixos/modules/services/logging/promtail.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nixos/modules/services/logging/promtail.nix b/nixos/modules/services/logging/promtail.nix index 34211687dc1d..95c83796ece6 100644 --- a/nixos/modules/services/logging/promtail.nix +++ b/nixos/modules/services/logging/promtail.nix @@ -7,6 +7,9 @@ let ''; allowSystemdJournal = cfg.configuration ? scrape_configs && lib.any (v: v ? journal) cfg.configuration.scrape_configs; + + allowPositionsFile = !lib.hasPrefix "/var/cache/promtail" positionsFile; + positionsFile = cfg.configuration.positions.filename; in { options.services.promtail = with types; { enable = mkEnableOption "the Promtail ingresser"; @@ -53,6 +56,7 @@ in { RestrictSUIDSGID = true; PrivateMounts = true; CacheDirectory = "promtail"; + ReadWritePaths = lib.optional allowPositionsFile (builtins.dirOf positionsFile); User = "promtail"; Group = "promtail";