Merge pull request #316727 from jpds/nixos-tests-prometheus

nixos/prometheus: Revamp tests
author: Franz Pletz <fpletz@fnordicwalking.de> 2024-06-23 23:05:06 +0200
committer: GitHub <noreply@github.com> 2024-06-23 23:05:06 +0200
commit: 3c033186ee73229fdcdcb3266a36baf87d519840 (patch)
tree: 3b16162580537ac13f750b685fcada5a7a2ec3a3 /nixos/modules/services
parent: 2789cee804747dc1066fc293ab918f77297561c5 (diff)
parent: 5adadf25c6eba445401bd2a270a74a9c3bac73c2 (diff)
1 files changed, 70 insertions, 0 deletions
diff --git a/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix b/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix
new file mode 100644
index 000000000000..b4307a76e1b0
--- /dev/null
+++ b/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix
@@ -0,0 +1,70 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.prometheus.alertmanagerWebhookLogger;
+in
+{
+  options.services.prometheus.alertmanagerWebhookLogger = {
+    enable = mkEnableOption "Alertmanager Webhook Logger";
+
+    package = mkPackageOption pkgs "alertmanager-webhook-logger" { };
+
+    extraFlags = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = "Extra command line options to pass to alertmanager-webhook-logger.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.alertmanager-webhook-logger = {
+      description = "Alertmanager Webhook Logger";
+
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+
+      serviceConfig = {
+        ExecStart = ''
+          ${cfg.package}/bin/alertmanager-webhook-logger \
+          ${escapeShellArgs cfg.extraFlags}
+        '';
+
+        DynamicUser = true;
+        NoNewPrivileges = true;
+
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        ProtectHome = "tmpfs";
+
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateIPC = true;
+
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+
+        SystemCallFilter = [
+          "@system-service"
+          "~@cpu-emulation"
+          "~@privileged"
+          "~@reboot"
+          "~@setuid"
+          "~@swap"
+        ];
+      };
+    };
+  };
+
+  meta.maintainers = [ maintainers.jpds ];
+}
author	Franz Pletz <fpletz@fnordicwalking.de>	2024-06-23 23:05:06 +0200
committer	GitHub <noreply@github.com>	2024-06-23 23:05:06 +0200
commit	3c033186ee73229fdcdcb3266a36baf87d519840 (patch)
tree	3b16162580537ac13f750b685fcada5a7a2ec3a3 /nixos/modules/services
parent	2789cee804747dc1066fc293ab918f77297561c5 (diff)
parent	5adadf25c6eba445401bd2a270a74a9c3bac73c2 (diff)