kopatz/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add option for monitor

Browse Source
This commit is contained in:
Kopatz
2024-05-20 13:08:18 +02:00
parent e9c3f0871c
commit 933eacd440
7 changed files with 47 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
modules/services/default.nix
View File

@@ -10,5 +10,6 @@
./nginx.nix ./nginx.nix
./fileshelter.nix ./fileshelter.nix
./wireguard.nix ./wireguard.nix
./kop-monitor.nix
]; ];
} }

42
modules/services/kop-monitor.nix Normal file
View File

@@ -0,0 +1,42 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let cfg = config.custom.services.kop-monitor;
in {
options.custom.services.kop-monitor = {
enable = mkEnableOption "Enables monitor";
};
config = lib.mkIf cfg.enable {
age.secrets.webhook = {
file = ../../secrets/webhook.age;
};
# service that runs all the time, pkgs.kop-monitor
systemd.services.kop-monitor = {
description = "Kop Monitor";
wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.kop-monitor}/bin/monitor";
DynamicUser = true;
Restart = "on-failure";
RestartSec = "5s";
EnvironmentFile = config.age.secrets.webhook.path;
PrivateMounts = mkDefault true;
PrivateTmp = mkDefault true;
PrivateUsers = mkDefault true;
ProtectClock = mkDefault true;
ProtectControlGroups = mkDefault true;
ProtectHome = mkDefault true;
ProtectHostname = mkDefault true;
ProtectKernelLogs = mkDefault true;
ProtectKernelModules = mkDefault true;
ProtectKernelTunables = mkDefault true;
ProtectSystem = mkDefault "strict";
# Needs network access
PrivateNetwork = mkDefault false;
};
};
};
}

2
pkgs/default.nix
View File

@@ -4,5 +4,5 @@
ente-frontend = pkgs.callPackage ./ente-frontend/default.nix { }; ente-frontend = pkgs.callPackage ./ente-frontend/default.nix { };
kop-website = kop-website =
pkgs.callPackage ./website/default.nix { inherit kop-hub ente-frontend; }; pkgs.callPackage ./website/default.nix { inherit kop-hub ente-frontend; };
kop-monitor = pkgs.callPackage ./monitor/default.nix { }; kop-monitor = pkgs.callPackage ./kop-monitor/default.nix { };
} }

2
pkgs/monitor/default.nix → pkgs/kop-monitor/default.nix
View File

@@ -16,5 +16,5 @@ rustPlatform.buildRustPackage {
nativeBuildInputs = with pkgs; [ pkg-config ]; nativeBuildInputs = with pkgs; [ pkg-config ];
buildInputs = with pkgs; [ openssl ]; buildInputs = with pkgs; [ openssl ];
cargoHash = "sha256-/bpxo5LUrdMJBzI6N4Dr+f7/pH6fE+fayzZW3CZ/lwA="; cargoHash = "sha256-PI2bLMnT71JVeDZp/Es4jhwTPuSRvrz2j5wyNPLKkFY=";
} }

1
secrets/secrets.nix
View File

@@ -26,4 +26,5 @@ in
"step-ca-key.age".publicKeys = [ mini-pc server kop ]; "step-ca-key.age".publicKeys = [ mini-pc server kop ];
"grafana-contact-points.age".publicKeys = [ mini-pc server kop ]; "grafana-contact-points.age".publicKeys = [ mini-pc server kop ];
"fileshelter-conf.age".publicKeys = [ mini-pc server kop ]; "fileshelter-conf.age".publicKeys = [ mini-pc server kop ];
"webhook.age".publicKeys = [ mini-pc server kop ];
} }

BIN
secrets/webhook.age Normal file
View File

Binary file not shown.

1
systems/mini-pc/configuration.nix
View File

@@ -52,6 +52,7 @@
}; };
services = { services = {
acme.enable = true; acme.enable = true;
kop-monitor.enable = true;
nginx.enable = true; nginx.enable = true;
ente.enable = true; ente.enable = true;
fileshelter.enable = true; fileshelter.enable = true;