nixos/prometheus-exporters/kea: run under same user/group as kea

This fixes access to the kea unix sockets, after enabling RuntimeDirectoryPreserve on the kea units. https://github.com/NixOS/nixpkgs/pull/274460#issuecomment-1869702893
author: Dee Anzorge <d.anzorge@gmail.com> 2023-12-26 21:41:34 +0100
committer: Martin Weinelt <hexa@darmstadt.ccc.de> 2023-12-26 21:42:58 +0100
commit: b4b9b08426337645f625f1f0bd8020e7ac9b2f0b (patch)
tree: 72bfadc7feb24ed94df66ca87d4c856621bbd749 /nixos/modules/services/monitoring/prometheus
parent: 9f6a0545174e6c3635e6b41349af0de22a8312cc (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix
index ed33c72f644f3..3abb6ff6bdf8b 100644
--- a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix
@@ -31,13 +31,15 @@ in {
     ];
     serviceConfig = {
       User = "kea";
+      DynamicUser = true;
       ExecStart = ''
         ${pkgs.prometheus-kea-exporter}/bin/kea-exporter \
           --address ${cfg.listenAddress} \
           --port ${toString cfg.port} \
           ${concatStringsSep " " cfg.controlSocketPaths}
       '';
-      SupplementaryGroups = [ "kea" ];
+      RuntimeDirectory = "kea";
+      RuntimeDirectoryPreserve = true;
       RestrictAddressFamilies = [
         # Need AF_UNIX to collect data
         "AF_UNIX"
author	Dee Anzorge <d.anzorge@gmail.com>	2023-12-26 21:41:34 +0100
committer	Martin Weinelt <hexa@darmstadt.ccc.de>	2023-12-26 21:42:58 +0100
commit	b4b9b08426337645f625f1f0bd8020e7ac9b2f0b (patch)
tree	72bfadc7feb24ed94df66ca87d4c856621bbd749 /nixos/modules/services/monitoring/prometheus
parent	9f6a0545174e6c3635e6b41349af0de22a8312cc (diff)