nixos/modules/services/monitoring/prometheus/alertmanager-irc-relay.nix

   1 { config, lib, pkgs, ... }:
   2 let
   3   cfg = config.services.prometheus.alertmanagerIrcRelay;
   4
   5   configFormat = pkgs.formats.yaml { };
   6   configFile = configFormat.generate "alertmanager-irc-relay.yml" cfg.settings;
   7 in
   8 {
   9   options.services.prometheus.alertmanagerIrcRelay = {
  10     enable = lib.mkEnableOption "Alertmanager IRC Relay";
  11
  12     package = lib.mkPackageOption pkgs "alertmanager-irc-relay" { };
  13
  14     extraFlags = lib.mkOption {
  15       type = lib.types.listOf lib.types.str;
  16       default = [];
  17       description = "Extra command line options to pass to alertmanager-irc-relay.";
  18     };
  19
  20     settings = lib.mkOption {
  21       type = configFormat.type;
  22       example = lib.literalExpression ''
  23         {
  24           http_host = "localhost";
  25           http_port = 8000;
  26
  27           irc_host = "irc.example.com";
  28           irc_port = 7000;
  29           irc_nickname = "myalertbot";
  30
  31           irc_channels = [
  32             { name = "#mychannel"; }
  33           ];
  34         }
  35       '';
  36       description = ''
  37         Configuration for Alertmanager IRC Relay as a Nix attribute set.
  38         For a reference, check out the
  39         [example configuration](https://github.com/google/alertmanager-irc-relay#configuring-and-running-the-bot)
  40         and the
  41         [source code](https://github.com/google/alertmanager-irc-relay/blob/master/config.go).
  42
  43         Note: The webhook's URL MUST point to the IRC channel where the message
  44         should be posted. For `#mychannel` from the example, this would be
  45         `http://localhost:8080/mychannel`.
  46       '';
  47     };
  48   };
  49
  50   config = lib.mkIf cfg.enable {
  51     systemd.services.alertmanager-irc-relay = {
  52       description = "Alertmanager IRC Relay";
  53
  54       wantedBy = [ "multi-user.target" ];
  55       after = [ "network-online.target" ];
  56
  57       serviceConfig = {
  58         ExecStart = ''
  59           ${cfg.package}/bin/alertmanager-irc-relay \
  60           -config ${configFile} \
  61           ${lib.escapeShellArgs cfg.extraFlags}
  62         '';
  63
  64         DynamicUser = true;
  65         NoNewPrivileges = true;
  66
  67         ProtectProc = "invisible";
  68         ProtectSystem = "strict";
  69         ProtectHome = "tmpfs";
  70
  71         PrivateTmp = true;
  72         PrivateDevices = true;
  73         PrivateIPC = true;
  74
  75         ProtectHostname = true;
  76         ProtectClock = true;
  77         ProtectKernelTunables = true;
  78         ProtectKernelModules = true;
  79         ProtectKernelLogs = true;
  80         ProtectControlGroups = true;
  81
  82         RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
  83         RestrictRealtime = true;
  84         RestrictSUIDSGID = true;
  85
  86         SystemCallFilter = [
  87           "@system-service"
  88           "~@cpu-emulation"
  89           "~@privileged"
  90           "~@reboot"
  91           "~@setuid"
  92           "~@swap"
  93         ];
  94       };
  95     };
  96   };
  97
  98   meta.maintainers = [ lib.maintainers.oxzi ];
  99 }