-
Notifications
You must be signed in to change notification settings - Fork 5
/
module.nix
73 lines (69 loc) · 2.51 KB
/
module.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.alertmanager-ntfy;
settingsFormat = pkgs.formats.yaml { };
in {
options.services.alertmanager-ntfy = {
enable = mkEnableOption "Alertmanager notifications forwarder for ntfy.sh";
settings = mkOption {
type = types.submodule { freeformType = settingsFormat.type; };
default = { };
description = mdDoc ''
Configuration for alertmanager-ntfy. Documented [here](https://github.com/alexbakker/alertmanager-ntfy).
'';
};
extraSettingsPath = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Extra configuration file (YAML) to load and merge into the config generated from the settings defined by the NixOS module.
This can be used to pass credentials so that they don't end up in the Nix store.
'';
};
};
config = let
configuration = settingsFormat.generate "settings.yml" cfg.settings;
in mkIf cfg.enable {
systemd.services.alertmanager-ntfy = {
enable = true;
description = "Alertmanager notifications forwarder for ntfy.sh";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
DynamicUser = true;
LoadCredential = lib.mkIf (cfg.extraSettingsPath != null) "auth.yml:${cfg.extraSettingsPath}";
ExecStart = "${pkgs.alertmanager-ntfy}/bin/alertmanager-ntfy --configs ${configuration}${lib.optionalString (cfg.extraSettingsPath != null) ",\"\${CREDENTIALS_DIRECTORY}/auth.yml\""}";
Restart = "always";
RestartSec = 5;
UMask = "077";
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
SystemCallArchitectures = "native";
SystemCallFilter = ["@system-service" "~@privileged" ];
CapabilityBoundingSet = null;
};
};
};
}