nixos/prometheus: fix node exporter timex collector

The timex collector (enabled by default) needs the
adjtimex syscall, which was disabled by
9fea6d4c85.

So allow it unless the timex collector is disabled.

nixos/modules/services/monitoring/prometheus/exporters.nix

@@ -192,7 +192,7 @@ let
         serviceConfig.MemoryDenyWriteExecute = true;
         serviceConfig.NoNewPrivileges = true;
         serviceConfig.PrivateDevices = true;
-        serviceConfig.ProtectClock = true;
+        serviceConfig.ProtectClock = mkDefault true;
         serviceConfig.ProtectControlGroups = true;
         serviceConfig.ProtectHome = true;
         serviceConfig.ProtectHostname = true;

nixos/modules/services/monitoring/prometheus/exporters/node.nix

@@ -37,6 +37,8 @@ in
       '';
       # The systemd collector needs AF_UNIX
       RestrictAddressFamilies = lib.optional (lib.any (x: x == "systemd") cfg.enabledCollectors) "AF_UNIX";
+      # The timex collector needs to access clock APIs
+      ProtectClock = lib.any (x: x == "timex") cfg.disabledCollectors;
     };
   };
 }