diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2024-06-23 23:05:06 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-06-23 23:05:06 +0200 |
commit | 3c033186ee73229fdcdcb3266a36baf87d519840 (patch) | |
tree | 3b16162580537ac13f750b685fcada5a7a2ec3a3 /nixos/modules/services | |
parent | 2789cee804747dc1066fc293ab918f77297561c5 (diff) | |
parent | 5adadf25c6eba445401bd2a270a74a9c3bac73c2 (diff) |
Merge pull request #316727 from jpds/nixos-tests-prometheus
nixos/prometheus: Revamp tests
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix b/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix new file mode 100644 index 000000000000..b4307a76e1b0 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix @@ -0,0 +1,70 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.prometheus.alertmanagerWebhookLogger; +in +{ + options.services.prometheus.alertmanagerWebhookLogger = { + enable = mkEnableOption "Alertmanager Webhook Logger"; + + package = mkPackageOption pkgs "alertmanager-webhook-logger" { }; + + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + description = "Extra command line options to pass to alertmanager-webhook-logger."; + }; + }; + + config = mkIf cfg.enable { + systemd.services.alertmanager-webhook-logger = { + description = "Alertmanager Webhook Logger"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + + serviceConfig = { + ExecStart = '' + ${cfg.package}/bin/alertmanager-webhook-logger \ + ${escapeShellArgs cfg.extraFlags} + ''; + + DynamicUser = true; + NoNewPrivileges = true; + + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ProtectHome = "tmpfs"; + + PrivateTmp = true; + PrivateDevices = true; + PrivateIPC = true; + + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" + "~@privileged" + "~@reboot" + "~@setuid" + "~@swap" + ]; + }; + }; + }; + + meta.maintainers = [ maintainers.jpds ]; +} |