Set up alertmanager-hookshot-adapter

secrets.nix

@@ -8,6 +8,7 @@ let
     hydra-ssh-key-priv = [ machines.bagel-box ];
     netbox-environment = [ machines.meta01 ];
     mimir-environment = [ machines.meta01 ];
+    mimir-webhook-url = [ machines.meta01 ];
     grafana-oauth-secret = [ machines.meta01 ];
     loki-environment = [ machines.meta01 ];
 

services/monitoring/default.nix

@@ -3,5 +3,6 @@
     ./exporters
     ./lgtm
     ./agent.nix
+    ./hookshot-adapter
   ];
 }

services/monitoring/hookshot-adapter/default.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.bagel.services.alertmanager-hookshot-adapter;
+  inherit (lib) mkEnableOption mkIf;
+  package = pkgs.callPackage ./package.nix {};
+in
+{
+  options.bagel.services.alertmanager-hookshot-adapter.enable = mkEnableOption "alertmanager to matrix-hookshot adapter";
+
+  config = mkIf cfg.enable {
+    systemd.services.alertmanager-hookshot-adapter = {
+      wantedBy = ["multi-user.target"];
+      wants = ["network-online.target"];
+      after = ["network-online.target"];
+      environment = {
+        PORT = "9100";
+        UPSTREAM = "https://alerts.forkos.org/webhook";
+      };
+      serviceConfig = {
+        ExecStart = lib.getExe package;
+        DynamicUser = true;
+      };
+    };
+  };
+}

services/monitoring/hookshot-adapter/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "alertmanager-hookshot-adapter",
+  "version": "1.0.0",
+  "description": "Adapter between alertmanager webhooks and the Matrix Hookshot Apapter",
+  "main": "index.ts",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hm-edu/alertmanager-hookshot-adapter"
+  },
+  "dependencies": {
+    "@types/express": "^4.17.21",
+    "@types/node": "^20.11.20",
+    "dotenv": "^16.4.5",
+    "express": "^4.18.2",
+    "node-fetch": "^3.3.2",
+    "typescript": "^5.3.3",
+    "winston": "^3.13.0"
+  },
+  "scripts": {
+    "build": "npx tsc"
+  }
+}

services/monitoring/hookshot-adapter/package.nix

@@ -0,0 +1,40 @@
+{
+  lib,
+  mkYarnPackage,
+  fetchFromGitHub,
+  fetchYarnDeps,
+  makeWrapper,
+  nodejs,
+}:
+
+mkYarnPackage rec {
+  pname = "alertmanager-hookshot-adapter";
+  version = "1.9.1";
+
+  src = fetchFromGitHub {
+    owner = "hm-edu";
+    repo = "alertmanager-hookshot-adapter";
+    rev = "v${version}";
+    hash = "sha256-KTk70zFA1tymmR8AYrAl2XIyA+SPs5Uksd6Z3kvUb+o=";
+  };
+
+  packageJSON = ./package.json;
+
+  offlineCache = fetchYarnDeps {
+    yarnLock = "${src}/yarn.lock";
+    hash = "sha256-LU25cXB+0DdcHRzKQ1hjQIVntarqPOUXZTgcw6lvLRM=";
+  };
+
+  buildPhase = ''
+    yarn build
+  '';
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  postInstall = ''
+    makeWrapper ${lib.getExe nodejs} $out/bin/alertmanager-hookshot-adapter \
+      --add-flags $out/libexec/alertmanager-hookshot-adapter/deps/alertmanager-hookshot-adapter/dist/index.js
+  '';
+
+  meta.mainProgram = "alertmanager-hookshot-adapter";
+}

services/monitoring/lgtm/mimir.nix

@@ -20,6 +20,7 @@ in
         owner = "nginx";
       };
       mimir-environment.file = ../../../secrets/mimir-environment.age;
+      mimir-webhook-url.file = ../../../secrets/mimir-webhook-url.age;
     };
 
     services.mimir = {
@@ -68,6 +69,11 @@ in
             receivers = [
               {
                 name = "matrix";
+                webhook_configs = [{
+                  # Mimir can't expand environment variables in external config files,
+                  # so work around it. 
+                  url_file = "/run/credentials/mimir.service/webhook-url";
+                }];
               }
             ];
           };
@@ -78,7 +84,10 @@ in
       };
     };
 
-    systemd.services.mimir.serviceConfig.EnvironmentFile = [ config.age.secrets.mimir-environment.path ];
+    systemd.services.mimir.serviceConfig = {
+      EnvironmentFile = [ config.age.secrets.mimir-environment.path ];
+      LoadCredential = [ "webhook-url:${config.age.secrets.mimir-webhook-url.path}" ];
+    };
 
     services.nginx.virtualHosts."mimir.forkos.org" = {
       enableACME = true;
@@ -90,5 +99,6 @@ in
     };
 
     bagel.monitoring.grafana-agent.exporters.mimir.port = 9009;
+    bagel.services.alertmanager-hookshot-adapter.enable = true;
   };
 }