pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / monitoring / prometheus / alertmanager-ntfy.nix
at master 6.9 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7 8let 9 cfg = config.services.prometheus.alertmanager-ntfy; 10 11 settingsFormat = pkgs.formats.yaml { }; 12 settingsFile = settingsFormat.generate "settings.yml" cfg.settings; 13 14 configsArg = lib.concatStringsSep "," ( 15 [ settingsFile ] ++ lib.imap0 (i: _: "%d/config-${toString i}.yml") cfg.extraConfigFiles 16 ); 17in 18 19{ 20 meta.maintainers = with lib.maintainers; [ defelo ]; 21 22 options.services.prometheus.alertmanager-ntfy = { 23 enable = lib.mkEnableOption "alertmanager-ntfy"; 24 25 package = lib.mkPackageOption pkgs "alertmanager-ntfy" { }; 26 27 settings = lib.mkOption { 28 description = '' 29 Configuration of alertmanager-ntfy. 30 See <https://github.com/alexbakker/alertmanager-ntfy> for more information. 31 ''; 32 default = { }; 33 34 type = lib.types.submodule { 35 freeformType = settingsFormat.type; 36 37 options = { 38 http.addr = lib.mkOption { 39 type = lib.types.str; 40 description = "The address to listen on."; 41 default = "127.0.0.1:8000"; 42 example = ":8000"; 43 }; 44 45 ntfy = { 46 baseurl = lib.mkOption { 47 type = lib.types.str; 48 description = "The base URL of the ntfy.sh instance."; 49 example = "https://ntfy.sh"; 50 }; 51 52 notification = { 53 topic = lib.mkOption { 54 type = lib.types.str; 55 description = '' 56 __Note:__ when using ntfy.sh and other public instances 57 it is recommended to set this option to an empty string and set the actual topic via 58 [](#opt-services.prometheus.alertmanager-ntfy.extraConfigFiles) since 59 the `topic` in `ntfy.sh` is essentially a password. 60 61 The topic to which alerts should be published. 62 Can either be a hardcoded string or a gval expression that evaluates to a string. 63 ''; 64 example = "alertmanager"; 65 }; 66 67 priority = lib.mkOption { 68 type = lib.types.str; 69 description = '' 70 The ntfy.sh message priority (see <https://docs.ntfy.sh/publish/#message-priority> for more information). 71 Can either be a hardcoded string or a gval expression that evaluates to a string. 72 ''; 73 default = ''status == "firing" ? "high" : "default"''; 74 }; 75 76 tags = lib.mkOption { 77 type = lib.types.listOf ( 78 lib.types.submodule { 79 options = { 80 tag = lib.mkOption { 81 type = lib.types.str; 82 description = '' 83 The tag to add. 84 See <https://docs.ntfy.sh/emojis> for a list of all supported emojis. 85 ''; 86 example = "rotating_light"; 87 }; 88 89 condition = lib.mkOption { 90 type = lib.types.nullOr lib.types.str; 91 description = '' 92 The condition under which this tag should be added. 93 Tags with no condition are always included. 94 ''; 95 default = null; 96 example = ''status == "firing"''; 97 }; 98 }; 99 } 100 ); 101 description = '' 102 Tags to add to ntfy.sh messages. 103 See <https://docs.ntfy.sh/publish/#tags-emojis> for more information. 104 ''; 105 default = [ 106 { 107 tag = "green_circle"; 108 condition = ''status == "resolved"''; 109 } 110 { 111 tag = "red_circle"; 112 condition = ''status == "firing"''; 113 } 114 ]; 115 }; 116 117 templates = { 118 title = lib.mkOption { 119 type = lib.types.str; 120 description = "The ntfy.sh message title template."; 121 default = '' 122 {{ if eq .Status "resolved" }}Resolved: {{ end }}{{ index .Annotations "summary" }} 123 ''; 124 }; 125 126 description = lib.mkOption { 127 type = lib.types.str; 128 description = "The ntfy.sh message description template."; 129 default = '' 130 {{ index .Annotations "description" }} 131 ''; 132 }; 133 }; 134 }; 135 }; 136 }; 137 }; 138 }; 139 140 extraConfigFiles = lib.mkOption { 141 type = lib.types.listOf lib.types.path; 142 default = [ ]; 143 example = [ "/run/secrets/alertmanager-ntfy.yml" ]; 144 description = '' 145 Config files to merge into the settings defined in [](#opt-services.prometheus.alertmanager-ntfy.settings). 146 This is useful to avoid putting secrets into the Nix store. 147 See <https://github.com/alexbakker/alertmanager-ntfy> for more information. 148 ''; 149 }; 150 }; 151 152 config = lib.mkIf cfg.enable { 153 systemd.services.alertmanager-ntfy = { 154 wantedBy = [ "multi-user.target" ]; 155 156 wants = [ "network-online.target" ]; 157 after = [ "network-online.target" ]; 158 159 serviceConfig = { 160 User = "alertmanager-ntfy"; 161 Group = "alertmanager-ntfy"; 162 DynamicUser = true; 163 164 LoadCredential = lib.imap0 (i: path: "config-${toString i}.yml:${path}") cfg.extraConfigFiles; 165 166 ExecStart = "${lib.getExe cfg.package} --configs ${configsArg}"; 167 168 Restart = "always"; 169 RestartSec = 5; 170 171 # Hardening 172 AmbientCapabilities = ""; 173 CapabilityBoundingSet = [ "" ]; 174 DevicePolicy = "closed"; 175 LockPersonality = true; 176 MemoryDenyWriteExecute = true; 177 NoNewPrivileges = true; 178 PrivateDevices = true; 179 PrivateTmp = true; 180 PrivateUsers = true; 181 ProcSubset = "pid"; 182 ProtectClock = true; 183 ProtectControlGroups = true; 184 ProtectHome = true; 185 ProtectHostname = true; 186 ProtectKernelLogs = true; 187 ProtectKernelModules = true; 188 ProtectKernelTunables = true; 189 ProtectProc = "invisible"; 190 ProtectSystem = "strict"; 191 RemoveIPC = true; 192 RestrictAddressFamilies = [ "AF_INET AF_INET6" ]; 193 RestrictNamespaces = true; 194 RestrictRealtime = true; 195 RestrictSUIDSGID = true; 196 SystemCallArchitectures = "native"; 197 SystemCallFilter = [ 198 "@system-service" 199 "~@privileged" 200 "~@resources" 201 ]; 202 UMask = "0077"; 203 }; 204 }; 205 }; 206}