From 933eacd4403e8928b8f459f5614335f01ff028d1 Mon Sep 17 00:00:00 2001
From: Kopatz <7265381+Kropatz@users.noreply.github.com>
Date: Mon, 20 May 2024 13:08:18 +0200
Subject: [PATCH] add option for monitor

---
 modules/services/default.nix              |   1 +
 modules/services/kop-monitor.nix          |  42 ++++++++++++++++++++++
 pkgs/default.nix                          |   2 +-
 pkgs/{monitor => kop-monitor}/default.nix |   2 +-
 secrets/secrets.nix                       |   1 +
 secrets/webhook.age                       | Bin 0 -> 565 bytes
 systems/mini-pc/configuration.nix         |   1 +
 7 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 modules/services/kop-monitor.nix
 rename pkgs/{monitor => kop-monitor}/default.nix (83%)
 create mode 100644 secrets/webhook.age

diff --git a/modules/services/default.nix b/modules/services/default.nix
index aa497ec..bdc414a 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -10,5 +10,6 @@
     ./nginx.nix
     ./fileshelter.nix
     ./wireguard.nix
+    ./kop-monitor.nix
   ];
 }
diff --git a/modules/services/kop-monitor.nix b/modules/services/kop-monitor.nix
new file mode 100644
index 0000000..9670d7f
--- /dev/null
+++ b/modules/services/kop-monitor.nix
@@ -0,0 +1,42 @@
+{ config, pkgs, lib, inputs, ... }:
+with lib;
+let cfg = config.custom.services.kop-monitor;
+in {
+  options.custom.services.kop-monitor = {
+    enable = mkEnableOption "Enables monitor";
+  };
+  config = lib.mkIf cfg.enable {
+    age.secrets.webhook = {
+      file = ../../secrets/webhook.age;
+    };
+    # service that runs all the time, pkgs.kop-monitor
+    systemd.services.kop-monitor = {
+      description = "Kop Monitor";
+      wants = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.kop-monitor}/bin/monitor";
+        DynamicUser = true;
+        Restart = "on-failure";
+        RestartSec = "5s";
+        EnvironmentFile = config.age.secrets.webhook.path;
+        PrivateMounts = mkDefault true;
+        PrivateTmp = mkDefault true;
+        PrivateUsers = mkDefault true;
+        ProtectClock = mkDefault true;
+        ProtectControlGroups = mkDefault true;
+        ProtectHome = mkDefault true;
+        ProtectHostname = mkDefault true;
+        ProtectKernelLogs = mkDefault true;
+        ProtectKernelModules = mkDefault true;
+        ProtectKernelTunables = mkDefault true;
+        ProtectSystem = mkDefault "strict";
+        # Needs network access
+        PrivateNetwork = mkDefault false;
+      };
+
+    };
+  };
+}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 0fe1874..90c37c8 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -4,5 +4,5 @@
   ente-frontend = pkgs.callPackage ./ente-frontend/default.nix { };
   kop-website =
     pkgs.callPackage ./website/default.nix { inherit kop-hub ente-frontend; };
-  kop-monitor = pkgs.callPackage ./monitor/default.nix { };
+  kop-monitor = pkgs.callPackage ./kop-monitor/default.nix { };
 }
diff --git a/pkgs/monitor/default.nix b/pkgs/kop-monitor/default.nix
similarity index 83%
rename from pkgs/monitor/default.nix
rename to pkgs/kop-monitor/default.nix
index 9748564..4c5b55c 100644
--- a/pkgs/monitor/default.nix
+++ b/pkgs/kop-monitor/default.nix
@@ -16,5 +16,5 @@ rustPlatform.buildRustPackage {
   nativeBuildInputs = with pkgs; [ pkg-config ];
   buildInputs = with pkgs; [ openssl ];
 
-  cargoHash = "sha256-/bpxo5LUrdMJBzI6N4Dr+f7/pH6fE+fayzZW3CZ/lwA=";
+  cargoHash = "sha256-PI2bLMnT71JVeDZp/Es4jhwTPuSRvrz2j5wyNPLKkFY=";
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index b5bf342..d6c0178 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -26,4 +26,5 @@ in
   "step-ca-key.age".publicKeys = [ mini-pc server kop ];
   "grafana-contact-points.age".publicKeys = [ mini-pc server kop ];
   "fileshelter-conf.age".publicKeys = [ mini-pc server kop ];
+  "webhook.age".publicKeys = [ mini-pc server kop ];
 }
diff --git a/secrets/webhook.age b/secrets/webhook.age
new file mode 100644
index 0000000000000000000000000000000000000000..e90d370c7e297bc145f43bee658278d00417803c
GIT binary patch
literal 565
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHE;VqiELRB4FNjKt
zvWyCeh^Q(oOw964GB6GGh|H_<%uGr5F9_2&k4UTVuQEw7^yM;f^GGtxDlT?%D+tKT
z&8UhDt}4ii3=4B|cQNuyH_kIG4l@ldEc2_%N=CQMGtAf}J5a$TwA{xiFSQ`ZS35G<
zvOF=&z~9W&rNq?Lry{8!xw1IeJ1jHYB-`7>z>_O2*x4&FzbY)Hs4^+gJ2xobySTu$
zq`)Q6EjS{wqRgy3Ji|D^)FRR()B@c$7w4)>Lq`Q~?-0{SZ=YO0S3{4Ks+0;(v-0AS
zq(T$(Op8*NjQj`#r_jPsWAji)4-+m^r$pn-z-*I9OGlH;tgLV|ZF8Rz$JBDCvg~3X
zH^1b7$VBth!fY?+VplF*U0sC${X&mQi`25zfMR`9cQenzh~%=&eD?^qz(7ayq6l9f
z*PvWugD5wjtZXiU_uuEe-eug|b<WLQYhs2AcVp6K@ofzMyzEY@u3c2Z7rou_jpqcN
zj?~pVr_VPFz4B73(xT^cX`RB98+BGuuQU8td#_wyyQSvTzhB1Dym7H>pT|BpE~}B7
z?DEI6$07N~x<&3MFIlf{v0uIT2G3K+#b3@mRh7Q{_k<VkNk&CZ*~eFvILnJKap}0_
hEE6w2r|3PsLv_o!Lmg~3CufMPT)5}is^Y_{LI8Y`(VPGP

literal 0
HcmV?d00001

diff --git a/systems/mini-pc/configuration.nix b/systems/mini-pc/configuration.nix
index 45436fe..df801ca 100644
--- a/systems/mini-pc/configuration.nix
+++ b/systems/mini-pc/configuration.nix
@@ -52,6 +52,7 @@
     };
     services = {
       acme.enable = true;
+      kop-monitor.enable = true;
       nginx.enable = true;
       ente.enable = true;
       fileshelter.enable = true;