From 3a2913ba1fb34e137413fbaca2def05bd25c2ce6 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sat, 18 Apr 2026 08:32:30 -0700
Subject: [PATCH] Allow BPF in privileged containers on ringtail

NixOS defaults kernel.unprivileged_bpf_disabled=2, which blocks BPF
syscalls outside the init namespace even with CAP_BPF. Set to 1 so
privileged containers (Beyla/Alloy tracing) can create BPF maps.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 nixos/ringtail/configuration.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nixos/ringtail/configuration.nix b/nixos/ringtail/configuration.nix
index 4349154..052f38d 100644
--- a/nixos/ringtail/configuration.nix
+++ b/nixos/ringtail/configuration.nix
@@ -157,6 +157,11 @@ in
   # call setrlimit(RLIMIT_MEMLOCK, unlimited) inside privileged containers.
   systemd.services.k3s.serviceConfig.LimitMEMLOCK = "infinity";
 
+  # Allow BPF in privileged containers (Beyla eBPF tracing). NixOS defaults
+  # to 2 (block BPF outside init namespace even with CAP_BPF). Value 1 allows
+  # BPF for processes with CAP_BPF/CAP_SYS_ADMIN in any namespace.
+  boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = 1;
+
   # K3s containerd registry mirrors (pull through Zot on indri)
   environment.etc."rancher/k3s/registries.yaml".source = ./k3s-registries.yaml;