nixos/modules/services/monitoring/prometheus/alertmanager-irc-relay.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / monitoring / prometheus / alertmanager-irc-relay.nix
at master 2.9 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8  cfg = config.services.prometheus.alertmanagerIrcRelay;
  9
 10  configFormat = pkgs.formats.yaml { };
 11  configFile = configFormat.generate "alertmanager-irc-relay.yml" cfg.settings;
 12in
 13{
 14  options.services.prometheus.alertmanagerIrcRelay = {
 15    enable = lib.mkEnableOption "Alertmanager IRC Relay";
 16
 17    package = lib.mkPackageOption pkgs "alertmanager-irc-relay" { };
 18
 19    extraFlags = lib.mkOption {
 20      type = lib.types.listOf lib.types.str;
 21      default = [ ];
 22      description = "Extra command line options to pass to alertmanager-irc-relay.";
 23    };
 24
 25    settings = lib.mkOption {
 26      type = configFormat.type;
 27      example = lib.literalExpression ''
 28        {
 29          http_host = "localhost";
 30          http_port = 8000;
 31
 32          irc_host = "irc.example.com";
 33          irc_port = 7000;
 34          irc_nickname = "myalertbot";
 35
 36          irc_channels = [
 37            { name = "#mychannel"; }
 38          ];
 39        }
 40      '';
 41      description = ''
 42        Configuration for Alertmanager IRC Relay as a Nix attribute set.
 43        For a reference, check out the
 44        [example configuration](https://github.com/google/alertmanager-irc-relay#configuring-and-running-the-bot)
 45        and the
 46        [source code](https://github.com/google/alertmanager-irc-relay/blob/master/config.go).
 47
 48        Note: The webhook's URL MUST point to the IRC channel where the message
 49        should be posted. For `#mychannel` from the example, this would be
 50        `http://localhost:8080/mychannel`.
 51      '';
 52    };
 53  };
 54
 55  config = lib.mkIf cfg.enable {
 56    systemd.services.alertmanager-irc-relay = {
 57      description = "Alertmanager IRC Relay";
 58
 59      wantedBy = [ "multi-user.target" ];
 60      after = [ "network-online.target" ];
 61      wants = [ "network-online.target" ];
 62
 63      serviceConfig = {
 64        ExecStart = ''
 65          ${cfg.package}/bin/alertmanager-irc-relay \
 66          -config ${configFile} \
 67          ${lib.escapeShellArgs cfg.extraFlags}
 68        '';
 69
 70        DynamicUser = true;
 71        NoNewPrivileges = true;
 72
 73        ProtectProc = "invisible";
 74        ProtectSystem = "strict";
 75        ProtectHome = "tmpfs";
 76
 77        PrivateTmp = true;
 78        PrivateDevices = true;
 79        PrivateIPC = true;
 80
 81        ProtectHostname = true;
 82        ProtectClock = true;
 83        ProtectKernelTunables = true;
 84        ProtectKernelModules = true;
 85        ProtectKernelLogs = true;
 86        ProtectControlGroups = true;
 87
 88        RestrictAddressFamilies = [
 89          "AF_INET"
 90          "AF_INET6"
 91        ];
 92        RestrictRealtime = true;
 93        RestrictSUIDSGID = true;
 94
 95        SystemCallFilter = [
 96          "@system-service"
 97          "~@cpu-emulation"
 98          "~@privileged"
 99          "~@reboot"
100          "~@setuid"
101          "~@swap"
102        ];
103      };
104    };
105  };
106
107  meta.maintainers = [ lib.maintainers.oxzi ];
108}