[NixPkgs.git] / nixos / modules / services / monitoring / prometheus / alertmanager-webhook-logger.nix
| blob | b3665b66ba4065ee7ec1b9643ed18eb7604643f8 |
1 { config, lib, pkgs, ... }:
3 with lib;
5 let
6 cfg = config.services.prometheus.alertmanagerWebhookLogger;
7 in
8 {
9 options.services.prometheus.alertmanagerWebhookLogger = {
10 enable = mkEnableOption "Alertmanager Webhook Logger";
12 package = mkPackageOption pkgs "alertmanager-webhook-logger" { };
14 extraFlags = mkOption {
15 type = types.listOf types.str;
16 default = [];
17 description = "Extra command line options to pass to alertmanager-webhook-logger.";
18 };
19 };
21 config = mkIf cfg.enable {
22 systemd.services.alertmanager-webhook-logger = {
23 description = "Alertmanager Webhook Logger";
25 wantedBy = [ "multi-user.target" ];
26 after = [ "network-online.target" ];
27 wants = [ "network-online.target" ];
29 serviceConfig = {
30 ExecStart = ''
31 ${cfg.package}/bin/alertmanager-webhook-logger \
32 ${escapeShellArgs cfg.extraFlags}
33 '';
35 CapabilityBoundingSet = [ "" ];
36 DeviceAllow = [ "" ];
37 DynamicUser = true;
38 NoNewPrivileges = true;
40 MemoryDenyWriteExecute = true;
42 LockPersonality = true;
44 ProtectProc = "invisible";
45 ProtectSystem = "strict";
46 ProtectHome = "tmpfs";
48 PrivateTmp = true;
49 PrivateDevices = true;
50 PrivateIPC = true;
52 ProcSubset = "pid";
54 ProtectHostname = true;
55 ProtectClock = true;
56 ProtectKernelTunables = true;
57 ProtectKernelModules = true;
58 ProtectKernelLogs = true;
59 ProtectControlGroups = true;
61 Restart = "on-failure";
63 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
64 RestrictNamespaces = true;
65 RestrictRealtime = true;
66 RestrictSUIDSGID = true;
68 SystemCallFilter = [
69 "@system-service"
70 "~@cpu-emulation"
71 "~@privileged"
72 "~@reboot"
73 "~@setuid"
74 "~@swap"
75 ];
76 };
77 };
78 };
80 meta.maintainers = [ maintainers.jpds ];
81 }