diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index c698c9005aaf8..29a30e938e75a 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -236,9 +236,17 @@ let isSystemUser = true; inherit (conf) group; }); - users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) { - "${name}-exporter" = {}; - }); + users.groups = mkMerge [ + (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) { + "${name}-exporter" = {}; + }) + (mkIf (name == "smartctl") { + "smartctl-exporter-access" = {}; + }) + ]; + services.udev.extraRules = mkIf (name == "smartctl") '' + ACTION=="add", SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", RUN+="${pkgs.acl}/bin/setfacl -m g:smartctl-exporter-access:rw /dev/$kernel" + ''; networking.firewall.extraCommands = mkIf (conf.openFirewall && !nftables) (concatStrings [ "ip46tables -A nixos-fw ${conf.firewallFilter} " "-m comment --comment ${name}-exporter -j nixos-fw-accept" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix index e3dcc6126ff12..90adfe911a737 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix @@ -58,7 +58,7 @@ in PrivateDevices = lib.mkForce false; ProtectProc = "invisible"; ProcSubset = "pid"; - SupplementaryGroups = [ "disk" ]; + SupplementaryGroups = [ "disk" "smartctl-exporter-access" ]; SystemCallFilter = [ "@system-service" "~@privileged" ]; }; };