feat(grafana): Use ntfy for alerts instead of matrix-hookshot

2025-11-30 15:53:28 +08:00 · 2025-11-30 15:53:28 +08:00 · 4b9da36a25
commit 4b9da36a25
parent 642dad3afa
6 changed files with 18 additions and 190 deletions
--- a/configuration/services/conduit/default.nix
+++ b/configuration/services/conduit/default.nix
@ -12,10 +12,7 @@ let
  turn-realm = "turn.${config.services.nginx.domain}";
 in
 {
-  imports = [
+  imports = [ ./heisenbridge.nix ];
    ./heisenbridge.nix
    ./matrix-hookshot.nix
  ];
  networking.firewall = {
    allowedTCPPorts = [
--- a/configuration/services/conduit/matrix-hookshot.nix
+++ b/configuration/services/conduit/matrix-hookshot.nix
@ -1,172 +0,0 @@
 {
  pkgs,
  lib,
  config,
  ...
 }:
 let
  matrixLib = pkgs.callPackage ./lib.nix { };
  cfg = config.services.matrix-hookshot;
  conduitCfg = config.services.matrix-conduit;
  domain = conduitCfg.settings.global.server_name;
  registration = matrixLib.writeRegistrationScript {
    id = "matrix-hookshot";
    url = "http://127.0.0.1:9993";
    sender_localpart = "hookshot";
    namespaces = {
      aliases = [ ];
      rooms = [ ];
      users = [
        {
          regex = "@${cfg.settings.generic.userIdPrefix}.*:${domain}";
          exclusive = true;
        }
      ];
    };
    # Encryption support
    # TODO(tlater): Enable when
    # https://github.com/matrix-org/matrix-hookshot/issues/1060 is
    # fixed
    # extraSettings = {
    #   "de.sorunome.msc2409.push_ephemeral" = true;
    #   push_ephemeral = true;
    #   "org.matrix.msc3202" = true;
    # };
    runtimeRegistration = "${cfg.registrationFile}";
  };
 in
 {
  # users = {
  #   users.matrix-hookshot = {
  #     home = "/run/matrix-hookshot";
  #     group = "matrix-hookshot";
  #     isSystemUser = true;
  #   };
  #   groups.matrix-hookshot = { };
  # };
  systemd.services.matrix-hookshot = {
    serviceConfig = {
      Type = lib.mkForce "exec";
      LoadCredential = "matrix-hookshot:/run/secrets/matrix-hookshot";
      inherit (registration) ExecStartPre;
      # Some library in matrix-hookshot wants a home directory
      Environment = [ "HOME=/run/matrix-hookshot" ];
      # User = "matrix-hookshot";
      DynamicUser = true;
      StateDirectory = "matrix-hookshot";
      RuntimeDirectory = "matrix-hookshot";
      RuntimeDirectoryMode = "0700";
      RestrictNamespaces = true;
      PrivateUsers = true;
      ProtectHostname = true;
      ProtectClock = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectKernelLogs = true;
      ProtectControlGroups = true;
      RestrictAddressFamilies = [
        # "AF_UNIX"
        "AF_INET"
        "AF_INET6"
      ];
      LockPersonality = true;
      RestrictRealtime = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      UMask = 77;
    };
  };
  # services.redis.servers.matrix-hookshot = {
  #   enable = true;
  #   user = "matrix-hookshot";
  # };
  services.matrix-hookshot = {
    enable = true;
    serviceDependencies = [ "conduit.service" ];
    registrationFile = "/run/matrix-hookshot/registration.yaml";
    settings = {
      bridge = {
        inherit domain;
        url = "http://localhost:${toString conduitCfg.settings.global.port}";
        mediaUrl = conduitCfg.settings.global.well_known.client;
        port = 9993;
        bindAddress = "127.0.0.1";
      };
      bot.displayname = "Hookshot";
      # cache.redisUri = "redis://${config.services.redis.servers.matrix-hookshot.unixSocket}";
      generic = {
        enabled = true;
        outbound = false;
        # Only allow webhooks from localhost for the moment
        urlPrefix = "http://127.0.0.1:9000/webhook";
        userIdPrefix = "_webhooks_";
        allowJsTransformationFunctions = true;
      };
      # TODO(tlater): Enable when
      # https://github.com/matrix-org/matrix-hookshot/issues/1060 is
      # fixed
      # encryption.storagePath = "/var/lib/matrix-hookshot/cryptostore";
      permissions = [
        {
          actor = "matrix.tlater.net";
          services = [
            {
              service = "*";
              level = "notifications";
            }
          ];
        }
        {
          actor = "@tlater:matrix.tlater.net";
          services = [
            {
              service = "*";
              level = "admin";
            }
          ];
        }
      ];
      listeners = [
        {
          port = 9000;
          resources = [ "webhooks" ];
        }
        {
          port = 9001;
          resources = [ "metrics" ];
        }
      ];
      metrics.enabled = true;
    };
  };
  sops.secrets = {
    # Accessed via systemd cred through /run/secrets/matrix-hookshot
    "matrix-hookshot/as-token" = { };
    "matrix-hookshot/hs-token" = { };
  };
 }
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@ -57,6 +57,19 @@ in
          access = "proxy";
        }
      ];
      alerting.contactPoints.settings.contactPoints = [
        {
          name = "ntfy";
          receivers = [
            {
              uid = "ntfy";
              type = "webhook";
              settings.url = "http://${config.services.ntfy-sh.settings.listen-http}/local-alerts?template=grafana";
            }
          ];
        }
      ];
    };
  };
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@ -89,10 +89,6 @@ in
        "127.0.0.1:8082"
      ];
      # Configured in the hookshot listeners, but it's hard to filter
      # the correct values out of that config.
      matrixHookshot.targets = [ "127.0.0.1:9001" ];
      victorialogs.targets = [ config.services.victorialogs.bindAddress ];
    };
  };
--- a/keys/production.yaml
+++ b/keys/production.yaml
@ -20,9 +20,6 @@ steam:
 heisenbridge:
    as-token: ENC[AES256_GCM,data:+2yo6T18j34622H8ZWblAFB2phLw1q0k0vUQEZ5sFj7dQaRnkEiAMi0R3p17Zq0pOtGEC0RRZuPLYkcZ1oKP0w==,iv:lGwrQYp//FufpmJocrLIVyy9RK7lEEVcpAi0wmkjr34=,tag:yV06UbhAYJQz36O2XdhY+A==,type:str]
    hs-token: ENC[AES256_GCM,data:u52WpkQFd/J7JFoE/rfNluebyZQLOokvkVdL7+AEAvrhJhrkJli1ztkD79lbC+6tGUH4tT3T+nX9wvGKnrRUQg==,iv:as+9fVuvMg2IoE2WIKD9mHi+znhNcWRh5Zq+yr0xcDQ=,tag:mZ7fh7U0MfgI8hyq/28Bcg==,type:str]
 matrix-hookshot:
    as-token: ENC[AES256_GCM,data:nXTanPhDyDF7R3AllLqpM5dzljBrHwlh1KJnTGIi5PhbDY2lPj4+uXkMEwvm1u+hQjPyM7vKZPfK+0/dms6Y7A==,iv:fSakJN+yai0gfOJKFxxaxgyUtk0pNmIeqVgrdq92/24=,tag:Qc7+SUnm5/Nq5+QIScR9kQ==,type:str]
    hs-token: ENC[AES256_GCM,data:Bwyj0JTTN0NNnwOs1zA8CqbtZSNcvlINeT7QVc2eJiHda92J6vQk7bSxy6KuqCN9DxlUsK13ggYjNORY2vic5w==,iv:Npnp8arYQ3Yb6CXrnKgE03hD7ZjGINPa/DwFI8D+5tA=,tag:FqNE6yI0nF4puEUw9MGAjQ==,type:str]
 wireguard:
    server-key: ENC[AES256_GCM,data:mXb7ZznJHf5CgV8rI4uzPBATMRbmd7LimgtCkQM9kAjbIaGwUBqJZBN3fXs=,iv:3Po1Orinzov9rnEm9cLzgJY1PeD+5Jl9115MriABHh8=,tag:E/2CjDO1JCvJzxCnqKcNyw==,type:str]
 restic:
@ -32,8 +29,8 @@ turn:
    env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str]
    secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str]
 sops:
-    lastmodified: "2025-11-29T14:52:24Z"
+    lastmodified: "2025-12-01T11:39:17Z"
-    mac: ENC[AES256_GCM,data:RC18s48jxRFQMtbmu74P7G4uhm2yHk9TB0wN7z4g8SNE3nfkYMvHAJqPr3A3dO+T33zkTFcSRm7fhWItUahTCW3fO10u6kDvWbnyjlSuAy86Tkz2iqeW4iSOzKswDptAgb/B+juAHhEMxDnkG5vpPlIcD0SVP89NlflXftogOqw=,iv:2vN2TJvzePzBJfUeBxvGXwGmRsB5sopqyWm9uUv/rzA=,tag:C6UOWrUxVsRMFncL1y1eTQ==,type:str]
+    mac: ENC[AES256_GCM,data:TwhGOW/V9/IoBifzh1MSwy/ff7ONTnxEmwERD8Yl2E27WG/6dTVz0/nIlZ8KsEKLC6vB2m+sJT+14Q9KCj4Cn/bWV1PmhytktGPxLQpgF55+pZlSK1aLUPLq0hwE93b4MAeOvzoOXtCQguh1dsB2RkinabFoMeZ2xJ7Kc+jHlfA=,iv:Ri8aEA4tssGDv2UuKeza8vs94IovM9GARLIEapb9Ya0=,tag:MDgAffj7ndmMwpw7mBXNRg==,type:str]
    pgp:
        - created_at: "2025-10-03T21:38:48Z"
          enc: |-
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@ -21,9 +21,6 @@ steam:
 heisenbridge:
    as-token: ENC[AES256_GCM,data:tXbOeo7nv8I=,iv:wJAKcOXX9nGIw4n38ThOoj29u7dUWhsxSQG/p79JlEw=,tag:rTVaGS2UuWcea1uBa8YX2g==,type:str]
    hs-token: ENC[AES256_GCM,data:VBwvwomv0Xg=,iv:q6INtJ+rg+QiXj8uBdBzQYQZUBBXp+9odxDHwvu8Jxc=,tag:XKhm8nxygAkKaiVPJ2Fcdg==,type:str]
 matrix-hookshot:
    as-token: ENC[AES256_GCM,data:uSUOo4f2KqA=,iv:Xb9G8Ecv6m59m51kDw2bOfq3SMJt4g9/6/EdH74R+KM=,tag:K9MSfO2c2Y4rlf0eYrmTnw==,type:str]
    hs-token: ENC[AES256_GCM,data:0KsyA06InL4=,iv:zAR0Y1fk8SyodcSLBHlQ8I+BAmttz9Hkd8Q3OREFqs4=,tag:t1Et8N/3seq95DeGoUd7Sw==,type:str]
 wireguard:
    server-key: ENC[AES256_GCM,data:FvY897XdKoa/mckE8JQLCkklsnYD6Wz1wpsu5t3uhEnW3iarnDQxF9msuYU=,iv:jqGXfekM+Vs+J9b5nlZ5Skd1ZKHajoUo2Dc4tMYPm1w=,tag:EehikjI/FCU8wqtpvJRamQ==,type:str]
 restic:
@ -33,8 +30,8 @@ turn:
    env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str]
    secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str]
 sops:
-    lastmodified: "2025-11-29T11:54:33Z"
+    lastmodified: "2025-12-01T11:39:26Z"
-    mac: ENC[AES256_GCM,data:SaTvwxfARVou/ZjrWfdC8J6je8l89Zuumdz7PkmY2Tl2CQVxZmEt4AyV4bWiCtWhJmfH1Qa8m4Q+DyqimjapgYT5cUB1yxlknp233bB/+5C5k3KozU2hmh80KYgR496FtQvI74p0qw/lw00CGCR3WHNcIc0dbTiDzC90HlOpafg=,iv:vxMCAjpgyWvxk18LalmFhwOb5b2ThCDq1KTaX2OPvpM=,tag:QMA+tC4hs/FBnuVDye38Vg==,type:str]
+    mac: ENC[AES256_GCM,data:11VQAYk8Am0k8OO6BtU17qpuEhcJ8ylRhJWQNHVAsmi5BCFjD1zU3NkWhtSstPrBcqHMenG+9XuEzpNnbccHI2ru0qlILsQvNj5OKo96FnvYtzApYlApoAzOetCx08Lfxa4RGLN/XCUSuccjBIU2PZRWEK+z+Cm1wHUFeqc1xPc=,iv:6y9j55Cld+GoOVGWAqsEgURRna6dHA2mGZwHVA+ZOE8=,tag:bSZi3nYmYrn3nFT2+RBPUQ==,type:str]
    pgp:
        - created_at: "2025-10-03T21:38:26Z"
          enc: |-