The flake collector needs Unix domain sockets to communicate with the
nix daemon. The RestrictAddressFamilies hardening was blocking this.
Also trim trailing newlines from stderr in error messages.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When running nix flake metadata, nix and git need writable cache
directories. System service users have home set to /var/empty which
is read-only, causing "cannot create directories" errors.
Add StateDirectory and set HOME/XDG_CACHE_HOME environment variables
to /var/lib/nixos-exporter when flake collector is enabled.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Capture stderr from nix flake metadata to show the actual error
message instead of just "exit status 1".
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The systemd service runs in a sandboxed environment without the usual
PATH. Add nix and git to the service path when flake collector is
enabled so it can run `nix flake metadata` on git+https:// URLs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add 30-second timeout to nix flake metadata command to prevent hanging
on slow or unresponsive remotes. Add HTTP server timeouts (read, write,
idle) to protect against slowloris-style attacks.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
