2024-06-02 19:54:49 +01:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
let
|
|
|
|
|
cfg = config.services.prometheus.alertmanagerWebhookLogger;
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
options.services.prometheus.alertmanagerWebhookLogger = {
|
2024-08-30 00:47:01 +02:00
|
|
|
enable = lib.mkEnableOption "Alertmanager Webhook Logger";
|
2024-06-02 19:54:49 +01:00
|
|
|
|
2024-08-30 00:47:01 +02:00
|
|
|
package = lib.mkPackageOption pkgs "alertmanager-webhook-logger" { };
|
2024-06-02 19:54:49 +01:00
|
|
|
|
2024-08-30 00:47:01 +02:00
|
|
|
extraFlags = lib.mkOption {
|
|
|
|
|
type = lib.types.listOf lib.types.str;
|
2024-06-02 19:54:49 +01:00
|
|
|
default = [ ];
|
|
|
|
|
description = "Extra command line options to pass to alertmanager-webhook-logger.";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2024-08-30 00:47:01 +02:00
|
|
|
config = lib.mkIf cfg.enable {
|
2024-06-02 19:54:49 +01:00
|
|
|
systemd.services.alertmanager-webhook-logger = {
|
|
|
|
|
description = "Alertmanager Webhook Logger";
|
|
|
|
|
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
after = [ "network-online.target" ];
|
|
|
|
|
wants = [ "network-online.target" ];
|
|
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
ExecStart = ''
|
|
|
|
|
${cfg.package}/bin/alertmanager-webhook-logger \
|
2024-08-30 00:47:01 +02:00
|
|
|
${lib.escapeShellArgs cfg.extraFlags}
|
2024-06-02 19:54:49 +01:00
|
|
|
'';
|
|
|
|
|
|
2024-06-24 00:13:04 +01:00
|
|
|
CapabilityBoundingSet = [ "" ];
|
|
|
|
|
DeviceAllow = [ "" ];
|
2024-06-02 19:54:49 +01:00
|
|
|
DynamicUser = true;
|
|
|
|
|
NoNewPrivileges = true;
|
|
|
|
|
|
2024-06-24 00:13:04 +01:00
|
|
|
MemoryDenyWriteExecute = true;
|
|
|
|
|
|
|
|
|
|
LockPersonality = true;
|
|
|
|
|
|
2024-06-02 19:54:49 +01:00
|
|
|
ProtectProc = "invisible";
|
|
|
|
|
ProtectSystem = "strict";
|
|
|
|
|
ProtectHome = "tmpfs";
|
|
|
|
|
|
|
|
|
|
PrivateTmp = true;
|
|
|
|
|
PrivateDevices = true;
|
|
|
|
|
PrivateIPC = true;
|
|
|
|
|
|
2024-06-24 00:13:04 +01:00
|
|
|
ProcSubset = "pid";
|
|
|
|
|
|
2024-06-02 19:54:49 +01:00
|
|
|
ProtectHostname = true;
|
|
|
|
|
ProtectClock = true;
|
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
|
ProtectKernelModules = true;
|
|
|
|
|
ProtectKernelLogs = true;
|
|
|
|
|
ProtectControlGroups = true;
|
|
|
|
|
|
2024-06-24 00:13:04 +01:00
|
|
|
Restart = "on-failure";
|
|
|
|
|
|
2024-06-02 19:54:49 +01:00
|
|
|
RestrictAddressFamilies = [
|
|
|
|
|
"AF_INET"
|
|
|
|
|
"AF_INET6"
|
|
|
|
|
];
|
2024-06-24 00:13:04 +01:00
|
|
|
RestrictNamespaces = true;
|
2024-06-02 19:54:49 +01:00
|
|
|
RestrictRealtime = true;
|
|
|
|
|
RestrictSUIDSGID = true;
|
|
|
|
|
|
|
|
|
|
SystemCallFilter = [
|
|
|
|
|
"@system-service"
|
|
|
|
|
"~@cpu-emulation"
|
|
|
|
|
"~@privileged"
|
|
|
|
|
"~@reboot"
|
|
|
|
|
"~@setuid"
|
|
|
|
|
"~@swap"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2024-08-30 00:47:01 +02:00
|
|
|
meta.maintainers = [ lib.maintainers.jpds ];
|
2024-06-02 19:54:49 +01:00
|
|
|
}
|
