torjus/nixos-exporter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: allow AF_UNIX sockets for nix daemon communication

Browse Source 
The flake collector needs Unix domain sockets to communicate with the
nix daemon. The RestrictAddressFamilies hardening was blocking this.
Also trim trailing newlines from stderr in error messages.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-06 23:33:15 +01:00
parent 95bf85dce4
commit d4b9577070
2 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
collector/flake.go
View File

@@ -191,7 +191,7 @@ func fetchFlakeMetadata(flakeURL string) (*flakeMetadata, error) {
output, err := cmd.Output() output, err := cmd.Output()
if err != nil { if err != nil {
if exitErr, ok := err.(*exec.ExitError); ok { if exitErr, ok := err.(*exec.ExitError); ok {
return nil, fmt.Errorf("nix flake metadata failed: %s", string(exitErr.Stderr)) return nil, fmt.Errorf("nix flake metadata failed: %s", strings.TrimSpace(string(exitErr.Stderr)))
} }
return nil, fmt.Errorf("nix flake metadata failed: %w", err) return nil, fmt.Errorf("nix flake metadata failed: %w", err)
} }

4
module.nix
View File

@@ -114,7 +114,9 @@ in
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectControlGroups = true; ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; # AF_UNIX required for nix daemon communication when flake collector enabled
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]
++ lib.optionals cfg.flake.enable [ "AF_UNIX" ];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;