nix-config/modules/services/kop-monitor.nix

{ config, pkgs, lib, inputs, ... }:
with lib;
let cfg = config.custom.services.kop-monitor;
in {
  options.custom.services.kop-monitor = {
    enable = mkEnableOption "Enables monitor";
  };
  config = lib.mkIf cfg.enable {
    age.secrets.webhook = {
      file = ../../secrets/webhook.age;
    };
    # service that runs all the time, pkgs.kop-monitor
    systemd.services.kop-monitor = {
      description = "Kop Monitor";
      wants = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "simple";
        ExecStart = "${pkgs.kop-monitor}/bin/monitor";
        DynamicUser = true;
        Restart = "on-failure";
        RestartSec = "5s";
        EnvironmentFile = config.age.secrets.webhook.path;
        PrivateMounts = mkDefault true;
        PrivateTmp = mkDefault true;
        PrivateUsers = mkDefault true;
        ProtectClock = mkDefault true;
        ProtectControlGroups = mkDefault true;
        ProtectHome = mkDefault true;
        ProtectHostname = mkDefault true;
        ProtectKernelLogs = mkDefault true;
        ProtectKernelModules = mkDefault true;
        ProtectKernelTunables = mkDefault true;
        ProtectSystem = mkDefault "strict";
        # Needs network access
        PrivateNetwork = mkDefault false;
      };

    };
  };
}