nixos/systemd-discord-notifier: init

2 files changed, 76 insertions, 0 deletions

diff --git a/modules/nixos/custom/default.nix b/modules/nixos/custom/default.nix
index 64d99ed..1009cee 100644
--- a/modules/nixos/custom/default.nix
+++ b/modules/nixos/custom/default.nix
@@ -5,6 +5,7 @@
     ./nvd-diff.nix
     ./nvk.nix
     ./remote-builders.nix
+    ./systemd-discord-notifier.nix
     ./victorialogs.nix
   ];
 }
diff --git a/modules/nixos/custom/systemd-discord-notifier.nix b/modules/nixos/custom/systemd-discord-notifier.nix
new file mode 100644
index 0000000..8556695
--- /dev/null
+++ b/modules/nixos/custom/systemd-discord-notifier.nix
@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.services.systemd-discord-notifier;
+
+  # Add our template unit to each service by default if enabled
+  systemdServicesSubmodule = {
+    config = lib.mkIf cfg.enable {
+      onFailure = lib.mkDefault [ "discord-notify-failure@%N.service" ];
+    };
+  };
+in
+
+{
+  options = {
+    services.systemd-discord-notifier = {
+      enable = lib.mkEnableOption "systemd-discord-notifier";
+
+      content = lib.mkOption {
+        type = lib.types.str;
+        default = "# 🚨 %i.service failed! 🚨";
+        description = "String template for webhook message content.";
+      };
+
+      webhookURLFile = lib.mkOption {
+        type = lib.types.nullOr lib.types.path;
+        default = null;
+        description = ''
+          Path to a file containing the webhook URL.
+
+          NOTE: This is required.
+          If not set declaratively, use `systemctl edit` and pass a `webhook-url` credential.
+        '';
+        example = "/run/secrets/discordWebhookURL";
+      };
+    };
+
+    systemd.services = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule systemdServicesSubmodule);
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services."discord-notify-failure@" = {
+      description = "Notify of service failures on Discord.";
+
+      after = [ "network.target" ];
+
+      path = [ pkgs.curl ];
+
+      script = ''
+        systemd-creds cat webhook-url | xargs curl -X POST -F "content=$CONTENT"
+      '';
+
+      enableStrictShellChecks = true;
+
+      environment = {
+        CONTENT = cfg.content;
+      };
+
+      serviceConfig = {
+        Type = "oneshot";
+        # TODO: Why doesn't AssertCredential work with this?
+        LoadCredential = lib.mkIf (cfg.webhookURLFile != null) "webhook-url:${cfg.webhookURLFile}";
+        # TODO: Harden
+        DynamicUser = true;
+      };
+    };
+  };
+}