grafana-to-ntfy conf

2025-08-24 01:23:15 -05:00 · 2025-08-24 01:23:15 -05:00 · 03c2ff373d
commit 03c2ff373d
parent 02596b8624
3 changed files with 75 additions and 20 deletions
--- a/lxc-metrics.nix
+++ b/lxc-metrics.nix
@ -1,4 +1,10 @@
-{ config, inputs, pkgs, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:

 {
  imports = [
@ -11,9 +17,10 @@
      ip4 = "192.168.0.6";
    };

-    # environment.systemPackages = with pkgs; [
+    environment.systemPackages = with pkgs; [
+      grafana-to-ntfy
+    ];

-    # ]
    networking.extraHosts = ''
      192.168.0.2    xalicas
      192.168.0.3    proxmox
@ -39,21 +46,66 @@
      };
    };

+    ## grafana-to-ntfy config is broken in nixpkgs, so we hardcode our own
+    systemd.services.grafana-to-ntfy = {
+      wantedBy = [ "multi-user.target" ];
+      script = "exec ${lib.getExe pkgs.grafana-to-ntfy}";
+      environment = {
+        NTFY_URL = "https://ntfy.sh/99ecef2d-05c1-4e73-9cc5-c9a1e6d0adf0";
+        BAUTH_USER = "grafana";
+        BAUTH_PASS = "grafana";
+      };
+      serviceConfig = {
+        DynamicUser = true;
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = "";
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        MemoryDenyWriteExecute = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+        UMask = "0077";
+      };
+    };
+
    services.prometheus = {
      enable = true;
      port = 9001;
      scrapeConfigs = [
-        { job_name = "nodes";
-          static_configs = [{
-            targets = [
-              "xalicas:9100"
-              "proxmox:9100"
-              "craft01:9100"
-              "lab01:9100"
-              "127.0.0.1:9100"
-              "unifi:9100"
-            ];
-          }];
+        {
+          job_name = "nodes";
+          static_configs = [
+            {
+              targets = [
+                "xalicas:9100"
+                "proxmox:9100"
+                "craft01:9100"
+                "lab01:9100"
+                "127.0.0.1:9100"
+                "unifi:9100"
+              ];
+            }
+          ];
        }
      ];
    };