nixpkgs/nixos/modules/services/monitoring/prometheus/sachet.nix

{ config, pkgs, lib, ... }:

with lib;

let
  cfg = config.services.prometheus.sachet;
  configFile = pkgs.writeText "sachet.yml" (builtins.toJSON cfg.configuration);
in
{
  options = {
    services.prometheus.sachet = {
      enable = mkEnableOption (lib.mdDoc "Sachet, an SMS alerting tool for the Prometheus Alertmanager");

      configuration = mkOption {
        type = types.nullOr types.attrs;
        default = null;
        example = literalExpression ''
          {
            providers = {
              twilio = {
                # environment variables gets expanded at runtime
                account_sid = "$TWILIO_ACCOUNT";
                auth_token = "$TWILIO_TOKEN";
              };
            };
            templates = [ ./some-template.tmpl ];
            receivers = [{
              name = "pager";
              provider = "twilio";
              to = [ "+33123456789" ];
              text = "{{ template \"message\" . }}";
            }];
          }
        '';
        description = lib.mdDoc ''
          Sachet's configuration as a nix attribute set.
        '';
      };

      address = mkOption {
        type = types.str;
        default = "localhost";
        description = lib.mdDoc ''
          The address Sachet will listen to.
        '';
      };

      port = mkOption {
        type = types.port;
        default = 9876;
        description = lib.mdDoc ''
          The port Sachet will listen to.
        '';
      };

    };
  };

  config = mkIf cfg.enable {
    assertions = singleton {
      assertion = cfg.configuration != null;
      message = "Cannot enable Sachet without a configuration.";
    };

    systemd.services.sachet = {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "network-online.target" ];
      script = ''
        ${pkgs.envsubst}/bin/envsubst -i "${configFile}" > /tmp/sachet.yaml
        exec ${pkgs.prometheus-sachet}/bin/sachet -config /tmp/sachet.yaml -listen-address ${cfg.address}:${builtins.toString cfg.port}
      '';

      serviceConfig = {
        Restart = "always";

        ProtectSystem = "strict";
        ProtectHome = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectControlGroups = true;

        DynamicUser = true;
        PrivateTmp = true;
        WorkingDirectory = "/tmp/";
      };
    };
  };
}