pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / monitoring / prometheus / alertmanager-webhook-logger.nix
at 25.11-pre 2.0 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7let 8 cfg = config.services.prometheus.alertmanagerWebhookLogger; 9in 10{ 11 options.services.prometheus.alertmanagerWebhookLogger = { 12 enable = lib.mkEnableOption "Alertmanager Webhook Logger"; 13 14 package = lib.mkPackageOption pkgs "alertmanager-webhook-logger" { }; 15 16 extraFlags = lib.mkOption { 17 type = lib.types.listOf lib.types.str; 18 default = [ ]; 19 description = "Extra command line options to pass to alertmanager-webhook-logger."; 20 }; 21 }; 22 23 config = lib.mkIf cfg.enable { 24 systemd.services.alertmanager-webhook-logger = { 25 description = "Alertmanager Webhook Logger"; 26 27 wantedBy = [ "multi-user.target" ]; 28 after = [ "network-online.target" ]; 29 wants = [ "network-online.target" ]; 30 31 serviceConfig = { 32 ExecStart = '' 33 ${cfg.package}/bin/alertmanager-webhook-logger \ 34 ${lib.escapeShellArgs cfg.extraFlags} 35 ''; 36 37 CapabilityBoundingSet = [ "" ]; 38 DeviceAllow = [ "" ]; 39 DynamicUser = true; 40 NoNewPrivileges = true; 41 42 MemoryDenyWriteExecute = true; 43 44 LockPersonality = true; 45 46 ProtectProc = "invisible"; 47 ProtectSystem = "strict"; 48 ProtectHome = "tmpfs"; 49 50 PrivateTmp = true; 51 PrivateDevices = true; 52 PrivateIPC = true; 53 54 ProcSubset = "pid"; 55 56 ProtectHostname = true; 57 ProtectClock = true; 58 ProtectKernelTunables = true; 59 ProtectKernelModules = true; 60 ProtectKernelLogs = true; 61 ProtectControlGroups = true; 62 63 Restart = "on-failure"; 64 65 RestrictAddressFamilies = [ 66 "AF_INET" 67 "AF_INET6" 68 ]; 69 RestrictNamespaces = true; 70 RestrictRealtime = true; 71 RestrictSUIDSGID = true; 72 73 SystemCallFilter = [ 74 "@system-service" 75 "~@cpu-emulation" 76 "~@privileged" 77 "~@reboot" 78 "~@setuid" 79 "~@swap" 80 ]; 81 }; 82 }; 83 }; 84 85 meta.maintainers = [ lib.maintainers.jpds ]; 86}