Merge pull request #325133 from jpds/nixos-prometheus-hardening

nixos/prometheus: systemd hardening for alertmanager/pushgateway
2025-07-13 13:40:28 +03:00 · 2024-07-07 16:22:35 -04:00 · 2024-07-07 16:22:35 -04:00 · aa3e6fadd2
commit aa3e6fadd2
parent bfbc9454de 008ea18566
5 changed files with 106 additions and 7 deletions
--- a/nixos/tests/prometheus/alertmanager.nix
+++ b/nixos/tests/prometheus/alertmanager.nix
@ -144,5 +144,9 @@ import ../make-test-python.nix ({ lib, pkgs, ... }:
    logger.wait_until_succeeds(
      "journalctl -o cat -u alertmanager-webhook-logger.service | grep '\"alertname\":\"InstanceDown\"'"
    )
+
+    logger.log(logger.succeed("systemd-analyze security alertmanager-webhook-logger.service | grep -v '✓'"))
+
+    alertmanager.log(alertmanager.succeed("systemd-analyze security alertmanager.service | grep -v '✓'"))
  '';
 })
--- a/nixos/tests/prometheus/pushgateway.nix
+++ b/nixos/tests/prometheus/pushgateway.nix
@ -90,5 +90,7 @@ import ../make-test-python.nix ({ lib, pkgs, ... }:
      "curl -sf 'http://127.0.0.1:9090/api/v1/query?query=absent(some_metric)' | "
      + "jq '.data.result[0].value[1]' | grep '\"1\"'"
    )
+
+    pushgateway.log(pushgateway.succeed("systemd-analyze security pushgateway.service | grep -v '✓'"))
  '';
 })