add option for monitor

modules/services/default.nix

@@ -10,5 +10,6 @@
     ./nginx.nix
     ./fileshelter.nix
     ./wireguard.nix
+    ./kop-monitor.nix
   ];
 }

modules/services/kop-monitor.nix

@@ -0,0 +1,42 @@
+{ config, pkgs, lib, inputs, ... }:
+with lib;
+let cfg = config.custom.services.kop-monitor;
+in {
+  options.custom.services.kop-monitor = {
+    enable = mkEnableOption "Enables monitor";
+  };
+  config = lib.mkIf cfg.enable {
+    age.secrets.webhook = {
+      file = ../../secrets/webhook.age;
+    };
+    # service that runs all the time, pkgs.kop-monitor
+    systemd.services.kop-monitor = {
+      description = "Kop Monitor";
+      wants = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.kop-monitor}/bin/monitor";
+        DynamicUser = true;
+        Restart = "on-failure";
+        RestartSec = "5s";
+        EnvironmentFile = config.age.secrets.webhook.path;
+        PrivateMounts = mkDefault true;
+        PrivateTmp = mkDefault true;
+        PrivateUsers = mkDefault true;
+        ProtectClock = mkDefault true;
+        ProtectControlGroups = mkDefault true;
+        ProtectHome = mkDefault true;
+        ProtectHostname = mkDefault true;
+        ProtectKernelLogs = mkDefault true;
+        ProtectKernelModules = mkDefault true;
+        ProtectKernelTunables = mkDefault true;
+        ProtectSystem = mkDefault "strict";
+        # Needs network access
+        PrivateNetwork = mkDefault false;
+      };
+
+    };
+  };
+}