NixOS
diff --git a/‎nixos/doc/manual/release-notes/rl-2505.section.md‎
Lines changed: 2 additions & 0 deletions b/‎nixos/doc/manual/release-notes/rl-2505.section.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎nixos/modules/module-list.nix‎
Lines changed: 1 addition & 0 deletions b/‎nixos/modules/module-list.nix‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎nixos/modules/services/monitoring/prometheus/alertmanager-ntfy.nix‎
Lines changed: 201 additions & 0 deletions b/‎nixos/modules/services/monitoring/prometheus/alertmanager-ntfy.nix‎
Lines changed: 201 additions & 0 deletions
diff --git a/‎nixos/tests/all-tests.nix‎
Lines changed: 1 addition & 1 deletion b/‎nixos/tests/all-tests.nix‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎nixos/tests/prometheus/alertmanager-ntfy.nix‎
Lines changed: 99 additions & 0 deletions b/‎nixos/tests/prometheus/alertmanager-ntfy.nix‎
Lines changed: 99 additions & 0 deletions
@@ -166,6 +166,8 @@
 
 - [OliveTin](https://www.olivetin.app/), gives safe and simple access to predefined shell commands from a web interface. Available as [services.olivetin](#opt-services.olivetin.enable).
 
+- [alertmanager-ntfy](https://github.com/alexbakker/alertmanager-ntfy), forwards Prometheus Alertmanager notifications to ntfy.sh. Available as [services.prometheus.alertmanager-ntfy](#opt-services.prometheus.alertmanager-ntfy.enable).
+
 - [Stash](https://github.com/stashapp/stash), An organizer for your adult videos/images, written in Go. Available as [services.stash](#opt-services.stash.enable).
 
 - [vsmartcard-vpcd](https://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html), a virtual smart card driver. Available as [services.vsmartcard-vpcd](#opt-services.vsmartcard-vpcd.enable).
 
@@ -985,6 +985,7 @@
   ./services/monitoring/pgscv.nix
   ./services/monitoring/prometheus/alertmanager-gotify-bridge.nix
   ./services/monitoring/prometheus/alertmanager-irc-relay.nix
+  ./services/monitoring/prometheus/alertmanager-ntfy.nix
   ./services/monitoring/prometheus/alertmanager-webhook-logger.nix
   ./services/monitoring/prometheus/alertmanager.nix
   ./services/monitoring/prometheus/default.nix
 
@@ -0,0 +1,201 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.services.prometheus.alertmanager-ntfy;
+
+  settingsFormat = pkgs.formats.yaml { };
+  settingsFile = settingsFormat.generate "settings.yml" cfg.settings;
+
+  configsArg = lib.concatStringsSep "," (
+    [ settingsFile ] ++ lib.imap0 (i: _: "%d/config-${toString i}.yml") cfg.extraConfigFiles
+  );
+in
+
+{
+  meta.maintainers = with lib.maintainers; [ defelo ];
+
+  options.services.prometheus.alertmanager-ntfy = {
+    enable = lib.mkEnableOption "alertmanager-ntfy";
+
+    package = lib.mkPackageOption pkgs "alertmanager-ntfy" { };
+
+    settings = lib.mkOption {
+      description = ''
+        Configuration of alertmanager-ntfy.
+        See <https://github.com/alexbakker/alertmanager-ntfy> for more information.
+      '';
+      default = { };
+
+      type = lib.types.submodule {
+        freeformType = settingsFormat.type;
+
+        options = {
+          http.addr = lib.mkOption {
+            type = lib.types.str;
+            description = "The address to listen on.";
+            default = "127.0.0.1:8000";
+            example = ":8000";
+          };
+
+          ntfy = {
+            baseurl = lib.mkOption {
+              type = lib.types.str;
+              description = "The base URL of the ntfy.sh instance.";
+              example = "https://ntfy.sh";
+            };
+
+            notification = {
+              topic = lib.mkOption {
+                type = lib.types.str;
+                description = ''
+                  The topic to which alerts should be published.
+                  Can either be a hardcoded string or a gval expression that evaluates to a string.
+                '';
+                example = "alertmanager";
+              };
+
+              priority = lib.mkOption {
+                type = lib.types.str;
+                description = ''
+                  The ntfy.sh message priority (see <https://docs.ntfy.sh/publish/#message-priority> for more information).
+                  Can either be a hardcoded string or a gval expression that evaluates to a string.
+                '';
+                default = ''status == "firing" ? "high" : "default"'';
+              };
+
+              tags = lib.mkOption {
+                type = lib.types.listOf (
+                  lib.types.submodule {
+                    options = {
+                      tag = lib.mkOption {
+                        type = lib.types.str;
+                        description = ''
+                          The tag to add.
+                          See <https://docs.ntfy.sh/emojis> for a list of all supported emojis.
+                        '';
+                        example = "rotating_light";
+                      };
+
+                      condition = lib.mkOption {
+                        type = lib.types.nullOr lib.types.str;
+                        description = ''
+                          The condition under which this tag should be added.
+                          Tags with no condition are always included.
+                        '';
+                        default = null;
+                        example = ''status == "firing"'';
+                      };
+                    };
+                  }
+                );
+                description = ''
+                  Tags to add to ntfy.sh messages.
+                  See <https://docs.ntfy.sh/publish/#tags-emojis> for more information.
+                '';
+                default = [
+                  {
+                    tag = "green_circle";
+                    condition = ''status == "resolved"'';
+                  }
+                  {
+                    tag = "red_circle";
+                    condition = ''status == "firing"'';
+                  }
+                ];
+              };
+
+              templates = {
+                title = lib.mkOption {
+                  type = lib.types.str;
+                  description = "The ntfy.sh message title template.";
+                  default = ''
+                    {{ if eq .Status "resolved" }}Resolved: {{ end }}{{ index .Annotations "summary" }}
+                  '';
+                };
+
+                description = lib.mkOption {
+                  type = lib.types.str;
+                  description = "The ntfy.sh message description template.";
+                  default = ''
+                    {{ index .Annotations "description" }}
+                  '';
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+
+    extraConfigFiles = lib.mkOption {
+      type = lib.types.listOf lib.types.path;
+      default = [ ];
+      example = [ "/run/secrets/alertmanager-ntfy.yml" ];
+      description = ''
+        Config files to merge into the settings defined in [](#opt-services.prometheus.alertmanager-ntfy.settings).
+        This is useful to avoid putting secrets into the Nix store.
+        See <https://github.com/alexbakker/alertmanager-ntfy> for more information.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.alertmanager-ntfy = {
+      wantedBy = [ "multi-user.target" ];
+
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+
+      serviceConfig = {
+        User = "alertmanager-ntfy";
+        Group = "alertmanager-ntfy";
+        DynamicUser = true;
+
+        LoadCredential = lib.imap0 (i: path: "config-${toString i}.yml:${path}") cfg.extraConfigFiles;
+
+        ExecStart = "${lib.getExe cfg.package} --configs ${configsArg}";
+
+        Restart = "always";
+        RestartSec = 5;
+
+        # Hardening
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = [ "" ];
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+        UMask = "0077";
+      };
+    };
+  };
+}
@@ -1117,7 +1117,7 @@ in
   private-gpt = handleTest ./private-gpt.nix { };
   privatebin = runTest ./privatebin.nix;
   privoxy = handleTest ./privoxy.nix { };
-  prometheus = handleTest ./prometheus { };
+  prometheus = import ./prometheus { inherit runTest; };
   prometheus-exporters = handleTest ./prometheus-exporters.nix { };
   prosody = handleTest ./xmpp/prosody.nix { };
   prosody-mysql = handleTest ./xmpp/prosody-mysql.nix { };
 
@@ -0,0 +1,99 @@
+{ lib, ... }:
+
+let
+  ports = {
+    alertmanager-ntfy = 8000;
+    ntfy-sh = 8001;
+    alertmanager = 8002;
+  };
+in
+
+{
+  name = "alertmanager-ntfy";
+  meta.maintainers = with lib.maintainers; [ defelo ];
+
+  nodes.machine = {
+    services.prometheus.alertmanager = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      port = ports.alertmanager;
+
+      configuration = {
+        route = {
+          receiver = "test";
+          group_by = [ "..." ];
+          group_wait = "0s";
+          group_interval = "1s";
+          repeat_interval = "2h";
+        };
+
+        receivers = [
+          {
+            name = "test";
+            webhook_configs = [ { url = "http://127.0.0.1:${toString ports.alertmanager-ntfy}/hook"; } ];
+          }
+        ];
+      };
+    };
+
+    services.prometheus.alertmanager-ntfy = {
+      enable = true;
+      settings = {
+        http.addr = "127.0.0.1:${toString ports.alertmanager-ntfy}";
+        ntfy = {
+          baseurl = "http://127.0.0.1:${toString ports.ntfy-sh}";
+          notification.topic = "alertmanager";
+        };
+      };
+    };
+
+    services.ntfy-sh = {
+      enable = true;
+      settings = {
+        listen-http = "127.0.0.1:${toString ports.ntfy-sh}";
+        base-url = "http://127.0.0.1:${toString ports.ntfy-sh}";
+      };
+    };
+  };
+
+  interactive.nodes.machine = {
+    services.prometheus.alertmanager.listenAddress = lib.mkForce "0.0.0.0";
+    services.prometheus.alertmanager-ntfy.settings.http.addr =
+      lib.mkForce "0.0.0.0:${toString ports.alertmanager-ntfy}";
+    services.ntfy-sh.settings.listen-http = lib.mkForce "0.0.0.0:${toString ports.ntfy-sh}";
+    networking.firewall.enable = false;
+    virtualisation.forwardPorts = lib.mapAttrsToList (_: port: {
+      from = "host";
+      host = { inherit port; };
+      guest = { inherit port; };
+    }) ports;
+  };
+
+  testScript = ''
+    import json
+    import time
+
+    machine.wait_for_unit("alertmanager.service")
+    machine.wait_for_unit("alertmanager-ntfy.service")
+    machine.wait_for_unit("ntfy-sh.service")
+    machine.wait_for_open_port(${toString ports.alertmanager})
+    machine.wait_for_open_port(${toString ports.alertmanager-ntfy})
+    machine.wait_for_open_port(${toString ports.ntfy-sh})
+
+    machine.succeed("""curl 127.0.0.1:${toString ports.alertmanager}/api/v2/alerts \
+      -X POST -H 'Content-Type: application/json' \
+      -d '[{ \
+        "labels": {"alertname": "test"},
+        "annotations": {"summary": "alert summary", "description": "alert description"} \
+      }]'""")
+
+    while not (resp := machine.succeed("curl '127.0.0.1:${toString ports.ntfy-sh}/alertmanager/json?poll=1'")):
+      time.sleep(1)
+
+    msg = json.loads(resp)
+    assert msg["title"] == "alert summary"
+    assert msg["message"] == "alert description"
+    assert msg["priority"] == 4
+    assert "red_circle" in msg["tags"]
+  '';
+}