add option for monitor

modules/services/default.nix

@@ -10,5 +10,6 @@
     ./nginx.nix
     ./fileshelter.nix
     ./wireguard.nix
+    ./kop-monitor.nix
   ];
 }

modules/services/kop-monitor.nix

@@ -0,0 +1,42 @@
+{ config, pkgs, lib, inputs, ... }:
+with lib;
+let cfg = config.custom.services.kop-monitor;
+in {
+  options.custom.services.kop-monitor = {
+    enable = mkEnableOption "Enables monitor";
+  };
+  config = lib.mkIf cfg.enable {
+    age.secrets.webhook = {
+      file = ../../secrets/webhook.age;
+    };
+    # service that runs all the time, pkgs.kop-monitor
+    systemd.services.kop-monitor = {
+      description = "Kop Monitor";
+      wants = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.kop-monitor}/bin/monitor";
+        DynamicUser = true;
+        Restart = "on-failure";
+        RestartSec = "5s";
+        EnvironmentFile = config.age.secrets.webhook.path;
+        PrivateMounts = mkDefault true;
+        PrivateTmp = mkDefault true;
+        PrivateUsers = mkDefault true;
+        ProtectClock = mkDefault true;
+        ProtectControlGroups = mkDefault true;
+        ProtectHome = mkDefault true;
+        ProtectHostname = mkDefault true;
+        ProtectKernelLogs = mkDefault true;
+        ProtectKernelModules = mkDefault true;
+        ProtectKernelTunables = mkDefault true;
+        ProtectSystem = mkDefault "strict";
+        # Needs network access
+        PrivateNetwork = mkDefault false;
+      };
+
+    };
+  };
+}

pkgs/default.nix

@@ -4,5 +4,5 @@
   ente-frontend = pkgs.callPackage ./ente-frontend/default.nix { };
   kop-website =
     pkgs.callPackage ./website/default.nix { inherit kop-hub ente-frontend; };
-  kop-monitor = pkgs.callPackage ./monitor/default.nix { };
+  kop-monitor = pkgs.callPackage ./kop-monitor/default.nix { };
 }

pkgs/kop-monitor/default.nix

@@ -16,5 +16,5 @@ rustPlatform.buildRustPackage {
   nativeBuildInputs = with pkgs; [ pkg-config ];
   buildInputs = with pkgs; [ openssl ];
 
-  cargoHash = "sha256-/bpxo5LUrdMJBzI6N4Dr+f7/pH6fE+fayzZW3CZ/lwA=";
+  cargoHash = "sha256-PI2bLMnT71JVeDZp/Es4jhwTPuSRvrz2j5wyNPLKkFY=";
 }

secrets/secrets.nix

@@ -26,4 +26,5 @@ in
   "step-ca-key.age".publicKeys = [ mini-pc server kop ];
   "grafana-contact-points.age".publicKeys = [ mini-pc server kop ];
   "fileshelter-conf.age".publicKeys = [ mini-pc server kop ];
+  "webhook.age".publicKeys = [ mini-pc server kop ];
 }

systems/mini-pc/configuration.nix

@@ -52,6 +52,7 @@
     };
     services = {
       acme.enable = true;
+      kop-monitor.enable = true;
       nginx.enable = true;
       ente.enable = true;
       fileshelter.enable = true;