add option for monitor

2024-05-20 13:08:18 +02:00
parent e9c3f0871c
commit 933eacd440
7 changed files with 47 additions and 2 deletions
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -10,5 +10,6 @@
    ./nginx.nix
    ./fileshelter.nix
    ./wireguard.nix
+    ./kop-monitor.nix
  ];
 }
--- a/modules/services/kop-monitor.nix
+++ b/modules/services/kop-monitor.nix
@@ -0,0 +1,42 @@
+{ config, pkgs, lib, inputs, ... }:
+with lib;
+let cfg = config.custom.services.kop-monitor;
+in {
+  options.custom.services.kop-monitor = {
+    enable = mkEnableOption "Enables monitor";
+  };
+  config = lib.mkIf cfg.enable {
+    age.secrets.webhook = {
+      file = ../../secrets/webhook.age;
+    };
+    # service that runs all the time, pkgs.kop-monitor
+    systemd.services.kop-monitor = {
+      description = "Kop Monitor";
+      wants = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.kop-monitor}/bin/monitor";
+        DynamicUser = true;
+        Restart = "on-failure";
+        RestartSec = "5s";
+        EnvironmentFile = config.age.secrets.webhook.path;
+        PrivateMounts = mkDefault true;
+        PrivateTmp = mkDefault true;
+        PrivateUsers = mkDefault true;
+        ProtectClock = mkDefault true;
+        ProtectControlGroups = mkDefault true;
+        ProtectHome = mkDefault true;
+        ProtectHostname = mkDefault true;
+        ProtectKernelLogs = mkDefault true;
+        ProtectKernelModules = mkDefault true;
+        ProtectKernelTunables = mkDefault true;
+        ProtectSystem = mkDefault "strict";
+        # Needs network access
+        PrivateNetwork = mkDefault false;
+      };
+
+    };
+  };
+}
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -4,5 +4,5 @@
  ente-frontend = pkgs.callPackage ./ente-frontend/default.nix { };
  kop-website =
    pkgs.callPackage ./website/default.nix { inherit kop-hub ente-frontend; };
-  kop-monitor = pkgs.callPackage ./monitor/default.nix { };
+  kop-monitor = pkgs.callPackage ./kop-monitor/default.nix { };
 }
--- a/pkgs/kop-monitor/default.nix
+++ b/pkgs/kop-monitor/default.nix
@@ -16,5 +16,5 @@ rustPlatform.buildRustPackage {
  nativeBuildInputs = with pkgs; [ pkg-config ];
  buildInputs = with pkgs; [ openssl ];

-  cargoHash = "sha256-/bpxo5LUrdMJBzI6N4Dr+f7/pH6fE+fayzZW3CZ/lwA=";
+  cargoHash = "sha256-PI2bLMnT71JVeDZp/Es4jhwTPuSRvrz2j5wyNPLKkFY=";
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -26,4 +26,5 @@ in
  "step-ca-key.age".publicKeys = [ mini-pc server kop ];
  "grafana-contact-points.age".publicKeys = [ mini-pc server kop ];
  "fileshelter-conf.age".publicKeys = [ mini-pc server kop ];
+  "webhook.age".publicKeys = [ mini-pc server kop ];
 }
--- a/secrets/webhook.age
+++ b/secrets/webhook.age
--- a/systems/mini-pc/configuration.nix
+++ b/systems/mini-pc/configuration.nix
@@ -52,6 +52,7 @@
    };
    services = {
      acme.enable = true;
+      kop-monitor.enable = true;
      nginx.enable = true;
      ente.enable = true;
      fileshelter.enable = true;