[NixPkgs.git] / nixos / modules / services / monitoring / prometheus / alertmanager-webhook-logger.nix
| blob | 5dd0b59011cabca0fc6315487df177049d7a13e6 |
1 {
2 config,
3 lib,
4 pkgs,
5 ...
6 }:
7 let
8 cfg = config.services.prometheus.alertmanagerWebhookLogger;
9 in
10 {
11 options.services.prometheus.alertmanagerWebhookLogger = {
12 enable = lib.mkEnableOption "Alertmanager Webhook Logger";
14 package = lib.mkPackageOption pkgs "alertmanager-webhook-logger" { };
16 extraFlags = lib.mkOption {
17 type = lib.types.listOf lib.types.str;
18 default = [ ];
19 description = "Extra command line options to pass to alertmanager-webhook-logger.";
20 };
21 };
23 config = lib.mkIf cfg.enable {
24 systemd.services.alertmanager-webhook-logger = {
25 description = "Alertmanager Webhook Logger";
27 wantedBy = [ "multi-user.target" ];
28 after = [ "network-online.target" ];
29 wants = [ "network-online.target" ];
31 serviceConfig = {
32 ExecStart = ''
33 ${cfg.package}/bin/alertmanager-webhook-logger \
34 ${lib.escapeShellArgs cfg.extraFlags}
35 '';
37 CapabilityBoundingSet = [ "" ];
38 DeviceAllow = [ "" ];
39 DynamicUser = true;
40 NoNewPrivileges = true;
42 MemoryDenyWriteExecute = true;
44 LockPersonality = true;
46 ProtectProc = "invisible";
47 ProtectSystem = "strict";
48 ProtectHome = "tmpfs";
50 PrivateTmp = true;
51 PrivateDevices = true;
52 PrivateIPC = true;
54 ProcSubset = "pid";
56 ProtectHostname = true;
57 ProtectClock = true;
58 ProtectKernelTunables = true;
59 ProtectKernelModules = true;
60 ProtectKernelLogs = true;
61 ProtectControlGroups = true;
63 Restart = "on-failure";
65 RestrictAddressFamilies = [
66 "AF_INET"
67 "AF_INET6"
68 ];
69 RestrictNamespaces = true;
70 RestrictRealtime = true;
71 RestrictSUIDSGID = true;
73 SystemCallFilter = [
74 "@system-service"
75 "~@cpu-emulation"
76 "~@privileged"
77 "~@reboot"
78 "~@setuid"
79 "~@swap"
80 ];
81 };
82 };
83 };
85 meta.maintainers = [ lib.maintainers.jpds ];
86 }