hosts/VEGAS: add uptime-kuma

2022-04-27 22:08:49 +02:00 · 2022-04-27 22:08:49 +02:00 · fd7ae38e66
commit fd7ae38e66
parent 8c384c69a8
2 changed files with 81 additions and 0 deletions
--- a/hosts/VEGAS/services/uptime-kuma/default.nix
+++ b/hosts/VEGAS/services/uptime-kuma/default.nix
@ -0,0 +1,80 @@
+{ config, inputs, lib, pkgs, tools, ... }:
+
+let
+  inherit (tools.meta) domain;
+
+  flakePkgs = inputs.self.packages.${pkgs.system};
+
+  port = config.portsStr.uptime-kuma;
+
+  dataDir = "/srv/storage/private/uptime-kuma";
+in
+
+{
+  reservePortsFor = [ "uptime-kuma" ];
+
+  users.users.uptime-kuma = {
+    isSystemUser = true;
+    home = "${dataDir}/.home";
+    group = "uptime-kuma";
+  };
+
+  users.groups.uptime-kuma = {};
+
+  systemd.tmpfiles.rules = [
+    "d '${dataDir}' 0700 uptime-kuma uptime-kuma - -"
+  ];
+
+  systemd.services.uptime-kuma = {
+
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      User = "uptime-kuma";
+      Group = "uptime-kuma";
+
+      ProtectSystem = "strict";
+      ReadWritePaths = [ dataDir ];
+      ProtectHome = "tmpfs";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_NETLINK"
+      ];
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      PrivateUsers = true;
+      LockPersonality = true;
+      SystemCallArchitectures = [ "native" ];
+
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+
+      ExecStart = flakePkgs.uptime-kuma + /bin/uptime-kuma;
+    };
+
+
+    environment = {
+      NODE_ENV = "production";
+      DATA_DIR = dataDir;
+      UPTIME_KUMA_HOST = "127.0.0.1";
+      UPTIME_KUMA_PORT = port;
+      UPTIME_KUMA_HIDE_LOG = lib.concatStringsSep "," [
+        "debug_monitor"
+        "info_monitor"
+      ];
+    };
+  };
+
+  services.nginx.virtualHosts."status.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy "http://127.0.0.1:${port}") {
+    locations = {
+      "/".proxyWebsockets = true;
+      "=/".return = "302 /status/${builtins.replaceStrings ["."] ["-"] domain}";
+    };
+  };
+}
--- a/hosts/VEGAS/system.nix
+++ b/hosts/VEGAS/system.nix
@ -37,6 +37,7 @@
      ./services/openvpn
      ./services/sips
      ./services/sso
+      ./services/uptime-kuma
      ./services/vault
      ./services/warehouse
      ./services/websites