fix(gatus): permission to ping

modules/nixos/gatus.nix

@@ -4,7 +4,7 @@
   pkgs,
   ...
 }: let
-  inherit (lib.options) mkOption;
+  inherit (lib.options) mkOption mkEnableOption;
   inherit (lib.modules) mkIf mkMerge mkForce;
   inherit (lib.attrsets) attrValues;
   inherit (lib.lists) length unique;
@@ -211,6 +211,10 @@ in {
       };
     };
   in with types; {
+    hardening = {
+      enable = mkEnableOption "sandbox and harden service";
+      icmp.enable = mkEnableOption "needed for ICMP probes";
+    };
     user = mkOption {
       type = nullOr str;
       default = null;
@@ -236,11 +240,44 @@ in {
       }
     ];
     conf.systemd.services.gatus = {
-      serviceConfig.User = mkIf (cfg.user != null) (mkForce cfg.user);
+      serviceConfig = mkMerge [
+        serviceConfig
+        (mkIf cfg.hardening.enable serviceConfig'hardening)
+      ];
     };
     serviceConf = {
       services.gatus.settings.endpoints = mkIf (cfg.endpoints != {}) (attrValues cfg.endpoints);
     };
+    serviceConfig = {
+      User = mkIf (cfg.user != null) (mkForce cfg.user);
+
+      AmbientCapabilities = mkIf cfg.hardening.icmp.enable ["CAP_NET_RAW"];
+    };
+    serviceConfig'hardening = {
+      DevicePolicy = "closed";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      RemoveIPC = true;
+      RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      UMask = "0077";
+    };
   in mkMerge [
     (mkIf cfg.enable conf)
     serviceConf

modules/system/exports/monitoring.nix

@@ -258,6 +258,10 @@ in
           // {
             default = config.access.online.enable;
           };
+        displayName = mkOption {
+          type = str;
+          default = config.name;
+        };
         alert = {
           enable =
             mkEnableOption "health check alerts"

modules/system/exports/unifi.nix

@@ -6,6 +6,7 @@
   inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
 in {
   config.exports.services.unifi = {config, ...}: {
+    displayName = mkAlmostOptionDefault "UniFi";
     nixos.serviceAttr = "unifi";
     defaults.port.listen = mkAlmostOptionDefault "lan";
     ports = {

nixos/monitoring/gatus.nix

@@ -110,7 +110,7 @@
         [alertingConfig]
         ++ optional status.alert.enable alertingConfigAlerts;
       config = {
-        name = mkAlmostOptionDefault system.name;
+        name = mkAlmostOptionDefault system.exports.status.displayName;
         # XXX: it can't seem to ping ipv6 for some reason..? :<
         enabled = mkIf addrIs6 (mkAlmostOptionDefault false);
         client.network = mkIf addrIs6 (mkAlmostOptionDefault "ip6");
@@ -177,6 +177,11 @@ in {
     user = mkDefault "gatus";
     environmentFile = config.sops.secrets.gatus_environment_file.path;
 
+    hardening = {
+      enable = mkDefault true;
+      icmp.enable = mkDefault true;
+    };
+
     # Endpoint configuration
     endpoints = listToAttrs (concatMap mapSystem statusSystems);
 

systems/idrac-gengetsu/default.nix

@@ -5,11 +5,13 @@ _: {
   };
   network.networks = {
     local = {
+      slaac.enable = false;
       address4 = "10.1.1.12";
       address6 = null;
     };
   };
   exports = {
+    status.displayName = "gengetsu/IDRAC";
     services = {
       sshd = {
         enable = true;

systems/kvm-reisen/default.nix

@@ -1,5 +1,8 @@
 {...}: {
   type = "Linux";
+  access = {
+    online.available = true;
+  };
   network.networks = {
     local = {
       slaac.enable = false;
@@ -11,9 +14,12 @@
       address6 = "fd7a:115c:a1e0::1901:9d62";
     };
   };
-  exports.services = {
+  exports = {
+    status.displayName = "reisen/KVM";
+    services = {
       tailscale.enable = true;
       sshd.enable = true;
       #nkvm.enable = true;
     };
+  };
 }

systems/reisen/default.nix

@@ -3,6 +3,9 @@ _: {
   proxmox.node = {
     enable = true;
   };
+  access = {
+    online.available = true;
+  };
   extern.files = {
     "/etc/sysctl.d/50-net.conf" = {
       source = ./sysctl.50-net.conf;

systems/u7pro/default.nix

@@ -11,6 +11,7 @@ _: {
     };
   };
   exports = {
+    status.displayName = "U7 Pro";
     services = {
       sshd = {
         enable = true;