Merge master into staging-next

    githubId = 13347712;

    name = "Leo Shchurov";

  };

  ardubev16 = {

    email = "lorenzobevilacqua02@gmail.com";

    github = "ardubev16";

    githubId = 43483037;

    name = "Lorenzo Bevilacqua";

  };

  ardumont = {

    email = "eniotna.t@gmail.com";

    github = "ardumont";

    githubId = 79042825;

    name = "Jan Kremer";

  };

  juli0604 = {

    name = "Julian Kuhn";

    email = "juliankuhn06@gmail.com";

    matrix = "@julian:matrix.epiccraft-mc.de";

    github = "juli0604";

    githubId = 62934740;

    keys = [ { fingerprint = "E9C6 44C7 F6AA A865 4CB9  2723 22C8 B0CE B9AC 4AFF"; } ];

  };

  JulianFP = {

    name = "Julian Partanen";

    github = "JulianFP";

    github = "mac-chaffee";

    githubId = 7581860;

  };

  macronova = {

    name = "Sicheng Pan";

    email = "trivial@invariantspace.com";

    matrix = "@macronova:invariantspace.com";

    github = "Sicheng-Pan";

    githubId = 60079945;

    keys = [ { fingerprint = "7590 C9DD E19D 4497 9EE9  0B14 CE96 9670 FB4B 4A56"; } ];

  };

  madjar = {

    email = "georges.dubus@compiletoi.net";

    github = "madjar";

    githubId = 43587167;

    name = "Nikita Tikhonov";

  };

  nekowinston = {

    email = "hey@winston.sh";

    github = "nekowinston";

    githubId = 79978224;

    name = "winston";

  };

  nelsonjeppesen = {

    email = "nix@jeppesen.io";

    github = "NelsonJeppesen";

    githubId = 98333944;

    name = "Sven Over";

  };

  Svenum = {

    email = "s.ziegler@holypenguin.net";

    github = "Svenum";

    githubId = 43136984;

    name = "Sven Ziegler";

  };

  svrana = {

    email = "shaw@vranix.com";

    github = "svrana";

    github = "zmitchell";

    githubId = 10246891;

  };

  ZMon3y = {

    name = "Matt Szafir";

    email = "mattszafir+nix@gmail.com";

    github = "ZMon3y";

    githubId = 9386488;

  };

  znaniye = {

    email = "zn4niye@proton.me";

    github = "znaniye";

  ./services/monitoring/opentelemetry-collector.nix

  ./services/monitoring/osquery.nix

  ./services/monitoring/parsedmarc.nix

  ./services/monitoring/prometheus/alertmanager-gotify-bridge.nix

  ./services/monitoring/prometheus/alertmanager-irc-relay.nix

  ./services/monitoring/prometheus/alertmanager-webhook-logger.nix

  ./services/monitoring/prometheus/alertmanager.nix

{

  config,

  lib,

  pkgs,

  ...

}:

let

  cfg = config.services.prometheus.alertmanagerGotify;

  pkg = cfg.package;

  inherit (lib)

    mkEnableOption

    mkOption

    types

    mkIf

    mkPackageOption

    optionalString

    ;

in

{

  meta.maintainers = with lib.maintainers; [ juli0604 ];

  options.services.prometheus.alertmanagerGotify = {

    enable = mkEnableOption "alertmagager-gotify";

    package = mkPackageOption pkgs "alertmanager-gotify-bridge" { };

    bindAddress = mkOption {

      type = types.str;

      default = "0.0.0.0";

      description = "The address the server will listen on (bind address).";

    };

    defaultPriority = mkOption {

      type = types.int;

      default = 5;

      description = "The default priority for messages sent to gotify.";

    };

    debug = mkOption {

      type = types.bool;

      default = false;

      description = "Enables extended logs for debugging purposes. Should be disabled in productive mode.";

    };

    dispatchErrors = mkOption {

      type = types.bool;

      default = false;

      description = "When enabled, alerts will be tried to dispatch with an error message regarding faulty templating or missing fields to help debugging.";

    };

    extendedDetails = mkOption {

      type = types.bool;

      default = false;

      description = "When enabled, alerts are presented in HTML format and include colorized status (FIR|RES), alert start time, and a link to the generator of the alert.";

    };

    messageAnnotation = mkOption {

      type = types.str;

      description = "Annotation holding the alert message.";

    };

    openFirewall = mkOption {

      type = types.bool;

      default = false;

      description = "Opens the bridge port in the firewall.";

    };

    port = mkOption {

      type = types.port;

      default = 8080;

      description = "The local port the bridge is listening on.";

    };

    priorityAnnotation = mkOption {

      type = types.str;

      default = "priority";

      description = "Annotation holding the priority of the alert.";

    };

    timeout = mkOption {

      type = types.ints.positive;

      default = 5;

      description = "The time between sending a message and the timeout.";

    };

    titleAnnotation = mkOption {

      type = types.str;

      default = "summary";

      description = "Annotation holding the title of the alert";

    };

    webhookPath = mkOption {

      type = types.str;

      default = "/gotify_webhook";

      description = "The URL path to handle requests on.";

    };

    environmentFile = mkOption {

      type = lib.types.nullOr lib.types.path;

      default = null;

      description = ''

        File containing additional config environment variables for alertmanager-gotify-bridge.

        This is especially for secrets like GOTIFY_TOKEN and AUTH_PASSWORD.

      '';

    };

    gotifyEndpoint = {

      host = mkOption {

        type = types.str;

        default = "127.0.0.1";

        description = "The hostname or ip your gotify endpoint is running.";

      };

      port = mkOption {

        type = types.port;

        default = 443;

        description = "The port your gotify endpoint is running.";

      };

      tls = mkOption {

        type = types.bool;

        default = true;

        description = "If your gotify endpoint uses https, leave this option set to default";

      };

    };

    metrics = {

      username = mkOption {

        type = types.str;

        description = "The username used to access your metrics.";

      };

      namespace = mkOption {

        type = types.str;

        default = "alertmanager-gotify-bridge";

        description = "The namescape of the metrics.";

      };

      path = mkOption {

        type = types.str;

        default = "/metrics";

        description = "The path under which the metrics will be exposed.";

      };

    };

  };

  config = mkIf cfg.enable {

    users = {

      groups.alertmanager-gotify = { };

      users.alertmanager-gotify = {

        group = "alertmanager-gotify";

        isSystemUser = true;

      };

    };

    networking.firewall = mkIf cfg.openFirewall {

      allowedTCPPorts = [ cfg.port ];

    };

    systemd.services.alertmanager-gotify-bridge = {

      description = "A bridge between Prometheus AlertManager and a Gotify server";

      wantedBy = [ "multi-user.target" ];

      serviceConfig = {

        ExecStart = "${lib.getExe pkg} ${optionalString cfg.debug "--debug"}";

        EnvironmentFile = lib.mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];

        User = "alertmanager-gotify";

        Group = "alertmanager-gotify";

        #hardening

        NoNewPrivileges = true;

        PrivateTmp = true;

        PrivateDevices = true;

        PrivateIPC = true;

        DevicePolicy = "closed";

        ProtectSystem = "strict";

        ProtectHome = "read-only";

        ProtectControlGroups = true;

        ProtectKernelModules = true;

        ProtectKernelLogs = true;

        ProtectKernelTunables = true;

        ProtectHostname = true;

        ProtectProc = true;

        RestrictAddressFamilies = [

          "AF_INET"

          "AF_INET6"

        ];

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;

        MemoryDenyWriteExecute = true;

        LockPersonality = true;

        ProcSubset = "pid";

        SystemCallArchitectures = "native";

        RemoveIPC = true;

      };

      environment = {

        BIND_ADDRESS = cfg.bindAddress;

        DEFAULT_PRIORITY = toString cfg.defaultPriority;

        DISPATCH_ERRORS = toString cfg.dispatchErrors;

        EXTENDED_DETAILS = toString cfg.extendedDetails;

        MESSAGE_ANNOTATION = cfg.messageAnnotation;

        PORT = toString cfg.port;

        PRIORITY_ANNOTATION = cfg.priorityAnnotation;

        TIMEOUT = "${toString cfg.timeout}s";

        TITLE_ANNOTATION = cfg.titleAnnotation;

        WEBHOOK_PATH = cfg.webhookPath;

        GOTIFY_ENDPOINT = "${

          if cfg.gotifyEndpoint.tls then "https://" else "http://"

        }${toString cfg.gotifyEndpoint.host}:${toString cfg.gotifyEndpoint.port}/message";

        AUTH_USERNAME = cfg.metrics.username;

      };

    };

  };

}

        description = ''

          Whether to enable the fail2ban service.

          See the documentation of {option}`services.fail2ban.jails`

          See the documentation of [](#opt-services.fail2ban.jails)

          for what jails are enabled by default.

        '';

      };

          NixOS comes with a default `sshd` jail;

          for it to work well,

          {option}`services.openssh.logLevel` should be set to

          [](#opt-services.openssh.settings.LogLevel) should be set to

          `"VERBOSE"` or higher so that fail2ban

          can observe failed login attempts.

          This module sets it to `"VERBOSE"` if

              add_header Set-Cookie $auth_cookie;

            '';

            "/oauth2/auth" =

            "= /oauth2/auth" =

              let

                maybeQueryArg =

                  name: value: