From ffa6d5eb82c3f71cfaf60c98dfc3d82276497ac5 Mon Sep 17 00:00:00 2001
From: stuebinm
Date: Thu, 29 Feb 2024 16:48:59 +0100
Subject: flora: monit via ntfy sh

so it turns out ntfy can run a little smtp server, which monit can send
its alerts to, resulting in a halfway okayish monitoring setup. It
doesn't even require mucking about with `sendmail'!

Downside: this is still monit.

Upside: from what I've heard, the other monitoring tools don't actually
seem to be all that much better?

Now I only have to come up with reasonable checks for the stuff I want
to actually keep an eye on …
---
 flora/configuration.nix  |  1 +
 flora/services/monit.nix | 32 ++++++++++++++++++++++++++++++++
 flora/services/ntfy.nix  |  7 +++++++
 secrets/flora.yaml       |  8 +++++---
 4 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 flora/services/monit.nix

diff --git a/flora/configuration.nix b/flora/configuration.nix
index 9f2eb82..40cd3a5 100644
--- a/flora/configuration.nix
+++ b/flora/configuration.nix
@@ -12,6 +12,7 @@
     ./services/element.nix
     ./services/ntfy.nix
     ./services/murmur.nix
+    ./services/monit.nix
   ];
   
   # Use the GRUB 2 boot loader.
diff --git a/flora/services/monit.nix b/flora/services/monit.nix
new file mode 100644
index 0000000..c8f7b3f
--- /dev/null
+++ b/flora/services/monit.nix
@@ -0,0 +1,32 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # includes mail address, which includes ntfy token
+  sops.secrets."monit/mail" = {};
+
+  services.monit = {
+    enable = true;
+
+    config = ''
+      include /run/secrets/monit/mail
+
+      set daemon 120 with start delay 60
+      set mailserver
+          localhost
+          port 2525
+
+      set httpd port 2812 and use address localhost
+          allow localhost
+          allow admin:obwjoawijerfoijsiwfj29jf2f2jd
+
+      check filesystem root with path /
+            if space usage > 80% then alert
+            if inode usage > 80% then alert
+
+      check host stuebinm.eu with address stuebinm.eu
+            if failed
+              port 443 protocol https
+            then alert
+    '';
+  };
+}
diff --git a/flora/services/ntfy.nix b/flora/services/ntfy.nix
index cda212d..45dcb3c 100644
--- a/flora/services/ntfy.nix
+++ b/flora/services/ntfy.nix
@@ -10,6 +10,9 @@
       listen-unix = "/run/ntfy-sh/ntfy.sock";
       listen-unix-mode = 511; ## lossy nix->yaml conversion eats octal literals (equal to 0777)
 
+      smtp-server-listen = ":2525";
+      smtp-server-domain = "ping.stuebinm.eu";
+
       auth-file = "/var/lib/ntfy-sh/user.db";
       auth-default-access = "deny-all";
 
@@ -32,4 +35,8 @@
       RuntimeDirectory = [ "ntfy-sh" ];
     };
   };
+
+  environment.etc."ntfy/client.yml".text = ''
+    default-host: https://ping.stuebinm.eu
+  '';
 }
diff --git a/secrets/flora.yaml b/secrets/flora.yaml
index ca2db83..83daec0 100644
--- a/secrets/flora.yaml
+++ b/secrets/flora.yaml
@@ -4,6 +4,8 @@ akkoma:
     keyBase: ENC[AES256_GCM,data:E9jPxP8Hg3civkyqHYPdAizisq/Oxw1zHsOmN0XvzPcKlX63ov3Akb1EFGsNqDBoSwTXtMoQk305cMB6VPLqmw==,iv:5c5W83leUmwy3w0dDvkWNdS7JWeseuxEnQc7f98O3bg=,tag:xz5JtAzvqSlkS6FKd8hVhw==,type:str]
     signingSalt: ENC[AES256_GCM,data:/htaDciCAhI=,iv:MV4vYD+qaNBicKZEmYffGfTqE2AQgfUdQVjTrLGPMck=,tag:/Of2A9X2QeE6k4lHwWKcOQ==,type:str]
     jokenDefaultSigner: ENC[AES256_GCM,data:1Wl/N58oiGiGeBHSkJPqLeHOyBmVgLGshAmTyi2H8cu7w/tIHMxW2sd11hhzyq2FCNVsL3Bi+yXgydG7uCl5yw==,iv:criEzJfQMsAUZ7tnIQvr9HOqn7NjBBzXL+rFAgzohPY=,tag:+izDkiUEfwD1+Ym2OuZRnA==,type:str]
+monit:
+    mail: ENC[AES256_GCM,data:wq+xDelBsyIZRJY0GHrZGPWCF0deLZRZxrU89M93hK1zUIeWP6i7xO3dgKE/A5OAGa350Zbj5v9QTieNFHiGqr9g,iv:APUuS3s+t4VPz24Ppen3u+LFSv+GqO49j9Mq77Mb3lQ=,tag:rNVJGN/lnCuq9Km8lZTkLw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -28,8 +30,8 @@ sops:
             SEx0Y2tsaGtkV3dMd0t0ejl3WVkwOW8KTpb14yYJ1bOeLquOrmworNqiwYoZSYiQ
             LkLkXKSGf6T3BrL0t0bM3fgwSQN3k92GGsEZzY7I2hhxZoNXGBOaKg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-11T16:27:36Z"
-    mac: ENC[AES256_GCM,data:jDwXDqpcX8eaYkVsHAt9rEVoavFCXF16YJV4QkjREy24f7c52pIqbOQ3RYcslyXjGWz0MCgUQ6B2w1MOvY6+xIF+dqPf1sSM5jnbazr9iyvhPIdlKWWq8MXHJEPDqC71ZkfGrPCboZmuZit2lWPu+czalZP/Dcm7bJexEsr2NZs=,iv:DVbxbYbgWNCTCgVKs3SvUCiDF0C9Av/OyrlGQHXW8WE=,tag:zwXtxzc6T8QO1T/esyDkNQ==,type:str]
+    lastmodified: "2024-02-29T15:29:35Z"
+    mac: ENC[AES256_GCM,data:kQ6+O8Ar7qnRTpuQauxngXvt+KlyqdFw85vjXPQ63vqVKWCrODlTJXD5saC2WQdMuMF3UfPLru1a35TyXxobu+MlvTadVpqUEtRZjtjhAydEA7+HEyvo+pUlmrm+LCrX3ajKhqlbobUE4kdHg0A2BYOlWIPq9CHtvwAC92R7De4=,iv:Gk5hgwEh4D1QLkiVaMRgcnyS2/F1mK/MpSMYjPaVL7U=,tag:noGbtmNC1yTDzUycML3Mpg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
-- 
cgit v1.2.3