80 lines
1.8 KiB
Nix
80 lines
1.8 KiB
Nix
{ config, inputs, lib, pkgs, tools, ... }:
|
|
|
|
let
|
|
inherit (tools.meta) domain;
|
|
|
|
flakePkgs = inputs.self.packages.${pkgs.system};
|
|
|
|
port = config.portsStr.uptime-kuma;
|
|
|
|
dataDir = "/srv/storage/private/uptime-kuma";
|
|
in
|
|
|
|
{
|
|
reservePortsFor = [ "uptime-kuma" ];
|
|
|
|
users.users.uptime-kuma = {
|
|
isSystemUser = true;
|
|
home = "${dataDir}/.home";
|
|
group = "uptime-kuma";
|
|
};
|
|
|
|
users.groups.uptime-kuma = {};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d '${dataDir}' 0700 uptime-kuma uptime-kuma - -"
|
|
];
|
|
|
|
systemd.services.uptime-kuma = {
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = {
|
|
User = "uptime-kuma";
|
|
Group = "uptime-kuma";
|
|
|
|
ProtectSystem = "strict";
|
|
ReadWritePaths = [ dataDir ];
|
|
ProtectHome = "tmpfs";
|
|
RestrictAddressFamilies = [
|
|
"AF_INET"
|
|
"AF_INET6"
|
|
"AF_NETLINK"
|
|
];
|
|
NoNewPrivileges = true;
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
PrivateUsers = true;
|
|
LockPersonality = true;
|
|
SystemCallArchitectures = [ "native" ];
|
|
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
|
|
ExecStart = flakePkgs.uptime-kuma + /bin/uptime-kuma;
|
|
};
|
|
|
|
|
|
environment = {
|
|
NODE_ENV = "production";
|
|
DATA_DIR = dataDir;
|
|
UPTIME_KUMA_HOST = "127.0.0.1";
|
|
UPTIME_KUMA_PORT = port;
|
|
UPTIME_KUMA_HIDE_LOG = lib.concatStringsSep "," [
|
|
"debug_monitor"
|
|
"info_monitor"
|
|
];
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."status.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy "http://127.0.0.1:${port}") {
|
|
locations = {
|
|
"/".proxyWebsockets = true;
|
|
"=/".return = "302 /status/${builtins.replaceStrings ["."] ["-"] domain}";
|
|
};
|
|
};
|
|
}
|