nixos/prometheus/alertmanager-ntfy: init module (#402291) (9cacd7ee) · Commits · nix / nixpkgs

nixos/doc/manual/release-notes/rl-2505.section.md

+2 −0

Original line number	Diff line number	Diff line
		@@ -166,6 +166,8 @@

		- [OliveTin](https://www.olivetin.app/), gives safe and simple access to predefined shell commands from a web interface. Available as [services.olivetin](#opt-services.olivetin.enable).

		- [alertmanager-ntfy](https://github.com/alexbakker/alertmanager-ntfy), forwards Prometheus Alertmanager notifications to ntfy.sh. Available as [services.prometheus.alertmanager-ntfy](#opt-services.prometheus.alertmanager-ntfy.enable).

		- [Stash](https://github.com/stashapp/stash), An organizer for your adult videos/images, written in Go. Available as [services.stash](#opt-services.stash.enable).

		- [vsmartcard-vpcd](https://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html), a virtual smart card driver. Available as [services.vsmartcard-vpcd](#opt-services.vsmartcard-vpcd.enable).

nixos/modules/module-list.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -985,6 +985,7 @@
		./services/monitoring/pgscv.nix
		./services/monitoring/prometheus/alertmanager-gotify-bridge.nix
		./services/monitoring/prometheus/alertmanager-irc-relay.nix
		./services/monitoring/prometheus/alertmanager-ntfy.nix
		./services/monitoring/prometheus/alertmanager-webhook-logger.nix
		./services/monitoring/prometheus/alertmanager.nix
		./services/monitoring/prometheus/default.nix

nixos/modules/services/monitoring/prometheus/alertmanager-ntfy.nix

0 → 100644

+201 −0

Original line number	Diff line number	Diff line
		{
		config,
		lib,
		pkgs,
		...
		}:

		let
		cfg = config.services.prometheus.alertmanager-ntfy;

		settingsFormat = pkgs.formats.yaml { };
		settingsFile = settingsFormat.generate "settings.yml" cfg.settings;

		configsArg = lib.concatStringsSep "," (
		[ settingsFile ] ++ lib.imap0 (i: _: "%d/config-${toString i}.yml") cfg.extraConfigFiles
		);
		in

		{
		meta.maintainers = with lib.maintainers; [ defelo ];

		options.services.prometheus.alertmanager-ntfy = {
		enable = lib.mkEnableOption "alertmanager-ntfy";

		package = lib.mkPackageOption pkgs "alertmanager-ntfy" { };

		settings = lib.mkOption {
		description = ''
		Configuration of alertmanager-ntfy.
		See <https://github.com/alexbakker/alertmanager-ntfy> for more information.
		'';
		default = { };

		type = lib.types.submodule {
		freeformType = settingsFormat.type;

		options = {
		http.addr = lib.mkOption {
		type = lib.types.str;
		description = "The address to listen on.";
		default = "127.0.0.1:8000";
		example = ":8000";
		};

		ntfy = {
		baseurl = lib.mkOption {
		type = lib.types.str;
		description = "The base URL of the ntfy.sh instance.";
		example = "https://ntfy.sh";
		};

		notification = {
		topic = lib.mkOption {
		type = lib.types.str;
		description = ''
		The topic to which alerts should be published.
		Can either be a hardcoded string or a gval expression that evaluates to a string.
		'';
		example = "alertmanager";
		};

		priority = lib.mkOption {
		type = lib.types.str;
		description = ''
		The ntfy.sh message priority (see <https://docs.ntfy.sh/publish/#message-priority> for more information).
		Can either be a hardcoded string or a gval expression that evaluates to a string.
		'';
		default = ''status == "firing" ? "high" : "default"'';
		};

		tags = lib.mkOption {
		type = lib.types.listOf (
		lib.types.submodule {
		options = {
		tag = lib.mkOption {
		type = lib.types.str;
		description = ''
		The tag to add.
		See <https://docs.ntfy.sh/emojis> for a list of all supported emojis.
		'';
		example = "rotating_light";
		};

		condition = lib.mkOption {
		type = lib.types.nullOr lib.types.str;
		description = ''
		The condition under which this tag should be added.
		Tags with no condition are always included.
		'';
		default = null;
		example = ''status == "firing"'';
		};
		};
		}
		);
		description = ''
		Tags to add to ntfy.sh messages.
		See <https://docs.ntfy.sh/publish/#tags-emojis> for more information.
		'';
		default = [
		{
		tag = "green_circle";
		condition = ''status == "resolved"'';
		}
		{
		tag = "red_circle";
		condition = ''status == "firing"'';
		}
		];
		};

		templates = {
		title = lib.mkOption {
		type = lib.types.str;
		description = "The ntfy.sh message title template.";
		default = ''
		{{ if eq .Status "resolved" }}Resolved: {{ end }}{{ index .Annotations "summary" }}
		'';
		};

		description = lib.mkOption {
		type = lib.types.str;
		description = "The ntfy.sh message description template.";
		default = ''
		{{ index .Annotations "description" }}
		'';
		};
		};
		};
		};
		};
		};
		};

		extraConfigFiles = lib.mkOption {
		type = lib.types.listOf lib.types.path;
		default = [ ];
		example = [ "/run/secrets/alertmanager-ntfy.yml" ];
		description = ''
		Config files to merge into the settings defined in [](#opt-services.prometheus.alertmanager-ntfy.settings).
		This is useful to avoid putting secrets into the Nix store.
		See <https://github.com/alexbakker/alertmanager-ntfy> for more information.
		'';
		};
		};

		config = lib.mkIf cfg.enable {
		systemd.services.alertmanager-ntfy = {
		wantedBy = [ "multi-user.target" ];

		wants = [ "network-online.target" ];
		after = [ "network-online.target" ];

		serviceConfig = {
		User = "alertmanager-ntfy";
		Group = "alertmanager-ntfy";
		DynamicUser = true;

		LoadCredential = lib.imap0 (i: path: "config-${toString i}.yml:${path}") cfg.extraConfigFiles;

		ExecStart = "${lib.getExe cfg.package} --configs ${configsArg}";

		Restart = "always";
		RestartSec = 5;

		# Hardening
		AmbientCapabilities = "";
		CapabilityBoundingSet = [ "" ];
		DevicePolicy = "closed";
		LockPersonality = true;
		MemoryDenyWriteExecute = true;
		NoNewPrivileges = true;
		PrivateDevices = true;
		PrivateTmp = true;
		PrivateUsers = true;
		ProcSubset = "pid";
		ProtectClock = true;
		ProtectControlGroups = true;
		ProtectHome = true;
		ProtectHostname = true;
		ProtectKernelLogs = true;
		ProtectKernelModules = true;
		ProtectKernelTunables = true;
		ProtectProc = "invisible";
		ProtectSystem = "strict";
		RemoveIPC = true;
		RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		RestrictSUIDSGID = true;
		SystemCallArchitectures = "native";
		SystemCallFilter = [
		"@system-service"
		"~@privileged"
		"~@resources"
		];
		UMask = "0077";
		};
		};
		};
		}

nixos/tests/all-tests.nix

+1 −1

Original line number	Diff line number	Diff line
		@@ -1117,7 +1117,7 @@ in
		private-gpt = handleTest ./private-gpt.nix { };
		privatebin = runTest ./privatebin.nix;
		privoxy = handleTest ./privoxy.nix { };
		prometheus = handleTest ./prometheus { };
		prometheus = import ./prometheus { inherit runTest; };
		prometheus-exporters = handleTest ./prometheus-exporters.nix { };
		prosody = handleTest ./xmpp/prosody.nix { };
		prosody-mysql = handleTest ./xmpp/prosody-mysql.nix { };

nixos/tests/prometheus/alertmanager-ntfy.nix

0 → 100644

+99 −0

Original line number	Diff line number	Diff line
		{ lib, ... }:

		let
		ports = {
		alertmanager-ntfy = 8000;
		ntfy-sh = 8001;
		alertmanager = 8002;
		};
		in

		{
		name = "alertmanager-ntfy";
		meta.maintainers = with lib.maintainers; [ defelo ];

		nodes.machine = {
		services.prometheus.alertmanager = {
		enable = true;
		listenAddress = "127.0.0.1";
		port = ports.alertmanager;

		configuration = {
		route = {
		receiver = "test";
		group_by = [ "..." ];
		group_wait = "0s";
		group_interval = "1s";
		repeat_interval = "2h";
		};

		receivers = [
		{
		name = "test";
		webhook_configs = [ { url = "http://127.0.0.1:${toString ports.alertmanager-ntfy}/hook"; } ];
		}
		];
		};
		};

		services.prometheus.alertmanager-ntfy = {
		enable = true;
		settings = {
		http.addr = "127.0.0.1:${toString ports.alertmanager-ntfy}";
		ntfy = {
		baseurl = "http://127.0.0.1:${toString ports.ntfy-sh}";
		notification.topic = "alertmanager";
		};
		};
		};

		services.ntfy-sh = {
		enable = true;
		settings = {
		listen-http = "127.0.0.1:${toString ports.ntfy-sh}";
		base-url = "http://127.0.0.1:${toString ports.ntfy-sh}";
		};
		};
		};

		interactive.nodes.machine = {
		services.prometheus.alertmanager.listenAddress = lib.mkForce "0.0.0.0";
		services.prometheus.alertmanager-ntfy.settings.http.addr =
		lib.mkForce "0.0.0.0:${toString ports.alertmanager-ntfy}";
		services.ntfy-sh.settings.listen-http = lib.mkForce "0.0.0.0:${toString ports.ntfy-sh}";
		networking.firewall.enable = false;
		virtualisation.forwardPorts = lib.mapAttrsToList (_: port: {
		from = "host";
		host = { inherit port; };
		guest = { inherit port; };
		}) ports;
		};

		testScript = ''
		import json
		import time

		machine.wait_for_unit("alertmanager.service")
		machine.wait_for_unit("alertmanager-ntfy.service")
		machine.wait_for_unit("ntfy-sh.service")
		machine.wait_for_open_port(${toString ports.alertmanager})
		machine.wait_for_open_port(${toString ports.alertmanager-ntfy})
		machine.wait_for_open_port(${toString ports.ntfy-sh})

		machine.succeed("""curl 127.0.0.1:${toString ports.alertmanager}/api/v2/alerts \
		-X POST -H 'Content-Type: application/json' \
		-d '[{ \
		"labels": {"alertname": "test"},
		"annotations": {"summary": "alert summary", "description": "alert description"} \
		}]'""")

		while not (resp := machine.succeed("curl '127.0.0.1:${toString ports.ntfy-sh}/alertmanager/json?poll=1'")):
		time.sleep(1)

		msg = json.loads(resp)
		assert msg["title"] == "alert summary"
		assert msg["message"] == "alert description"
		assert msg["priority"] == 4
		assert "red_circle" in msg["tags"]
		'';
		}