nixos/modules/services/monitoring/prometheus/alertmanager-irc-relay.nix

   1 { config, lib, pkgs, ... }:
   2
   3 with lib;
   4
   5 let
   6   cfg = config.services.prometheus.alertmanagerIrcRelay;
   7
   8   configFormat = pkgs.formats.yaml { };
   9   configFile = configFormat.generate "alertmanager-irc-relay.yml" cfg.settings;
  10 in
  11 {
  12   options.services.prometheus.alertmanagerIrcRelay = {
  13     enable = mkEnableOption "Alertmanager IRC Relay";
  14
  15     package = mkPackageOption pkgs "alertmanager-irc-relay" { };
  16
  17     extraFlags = mkOption {
  18       type = types.listOf types.str;
  19       default = [];
  20       description = "Extra command line options to pass to alertmanager-irc-relay.";
  21     };
  22
  23     settings = mkOption {
  24       type = configFormat.type;
  25       example = literalExpression ''
  26         {
  27           http_host = "localhost";
  28           http_port = 8000;
  29
  30           irc_host = "irc.example.com";
  31           irc_port = 7000;
  32           irc_nickname = "myalertbot";
  33
  34           irc_channels = [
  35             { name = "#mychannel"; }
  36           ];
  37         }
  38       '';
  39       description = ''
  40         Configuration for Alertmanager IRC Relay as a Nix attribute set.
  41         For a reference, check out the
  42         [example configuration](https://github.com/google/alertmanager-irc-relay#configuring-and-running-the-bot)
  43         and the
  44         [source code](https://github.com/google/alertmanager-irc-relay/blob/master/config.go).
  45
  46         Note: The webhook's URL MUST point to the IRC channel where the message
  47         should be posted. For `#mychannel` from the example, this would be
  48         `http://localhost:8080/mychannel`.
  49       '';
  50     };
  51   };
  52
  53   config = mkIf cfg.enable {
  54     systemd.services.alertmanager-irc-relay = {
  55       description = "Alertmanager IRC Relay";
  56
  57       wantedBy = [ "multi-user.target" ];
  58       after = [ "network-online.target" ];
  59
  60       serviceConfig = {
  61         ExecStart = ''
  62           ${cfg.package}/bin/alertmanager-irc-relay \
  63           -config ${configFile} \
  64           ${escapeShellArgs cfg.extraFlags}
  65         '';
  66
  67         DynamicUser = true;
  68         NoNewPrivileges = true;
  69
  70         ProtectProc = "invisible";
  71         ProtectSystem = "strict";
  72         ProtectHome = "tmpfs";
  73
  74         PrivateTmp = true;
  75         PrivateDevices = true;
  76         PrivateIPC = true;
  77
  78         ProtectHostname = true;
  79         ProtectClock = true;
  80         ProtectKernelTunables = true;
  81         ProtectKernelModules = true;
  82         ProtectKernelLogs = true;
  83         ProtectControlGroups = true;
  84
  85         RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
  86         RestrictRealtime = true;
  87         RestrictSUIDSGID = true;
  88
  89         SystemCallFilter = [
  90           "@system-service"
  91           "~@cpu-emulation"
  92           "~@privileged"
  93           "~@reboot"
  94           "~@setuid"
  95           "~@swap"
  96         ];
  97       };
  98     };
  99   };
 100
 101   meta.maintainers = [ maintainers.oxzi ];
 102 }