]>
Commit | Line | Data |
---|---|---|
6e9f30f4 IB |
1 | { config, pkgs, lib, name, ... }: |
2 | { | |
3 | options = { | |
4 | myServices.status = { | |
5 | enable = lib.mkOption { | |
6 | type = lib.types.bool; | |
7 | default = false; | |
8 | description = '' | |
9 | Whether to enable status app. | |
10 | ''; | |
11 | }; | |
12 | }; | |
13 | }; | |
14 | config = lib.mkIf config.myServices.status.enable { | |
4c4652aa IB |
15 | secrets.keys."naemon-status/environment" = { |
16 | user = "naemon"; | |
17 | group = "naemon"; | |
18 | permissions = "0400"; | |
19 | text = '' | |
20 | TOKENS=${builtins.concatStringsSep " " config.myEnv.monitoring.nrdp_tokens} | |
21 | ''; | |
22 | }; | |
6e9f30f4 IB |
23 | services.nginx = { |
24 | enable = true; | |
25 | recommendedOptimisation = true; | |
26 | recommendedGzipSettings = true; | |
27 | recommendedProxySettings = true; | |
e43fdf34 IB |
28 | upstreams."netdata".servers = { "127.0.0.1:19999" = {}; }; |
29 | upstreams."netdata".extraConfig = '' | |
30 | keepalive 64; | |
31 | ''; | |
2edbb2d8 IB |
32 | virtualHosts."status.eban.bzh" = { |
33 | acmeRoot = config.myServices.certificates.webroot; | |
34 | useACMEHost = name; | |
35 | forceSSL = true; | |
36 | locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; | |
37 | }; | |
6e9f30f4 | 38 | virtualHosts."status.immae.eu" = { |
cfda3cfc | 39 | acmeRoot = config.myServices.certificates.webroot; |
6e9f30f4 IB |
40 | useACMEHost = name; |
41 | forceSSL = true; | |
42 | locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; | |
e43fdf34 IB |
43 | |
44 | locations."= /netdata".return = "301 /netdata/"; | |
45 | locations."~ /netdata/(?<ndpath>.*)".extraConfig = '' | |
46 | proxy_redirect off; | |
47 | proxy_set_header Host $host; | |
48 | ||
49 | proxy_set_header X-Forwarded-Host $host; | |
50 | proxy_set_header X-Forwarded-Server $host; | |
51 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
52 | proxy_http_version 1.1; | |
53 | proxy_pass_request_headers on; | |
54 | proxy_set_header Connection "keep-alive"; | |
55 | proxy_store off; | |
56 | proxy_pass http://netdata/$ndpath$is_args$args; | |
57 | ||
58 | gzip on; | |
59 | gzip_proxied any; | |
60 | gzip_types *; | |
61 | ''; | |
6e9f30f4 IB |
62 | }; |
63 | }; | |
258dd18b IB |
64 | security.acme.certs."${name}" = { |
65 | extraDomains."status.immae.eu" = null; | |
2edbb2d8 | 66 | extraDomains."status.eban.bzh" = null; |
258dd18b IB |
67 | user = config.services.nginx.user; |
68 | group = config.services.nginx.group; | |
69 | }; | |
6e9f30f4 IB |
70 | |
71 | myServices.certificates.enable = true; | |
619e4f46 | 72 | networking.firewall.allowedTCPPorts = [ 80 443 ]; |
6e9f30f4 IB |
73 | systemd.services.naemon-status = { |
74 | description = "Naemon status"; | |
75 | after = [ "network.target" ]; | |
76 | wantedBy = [ "multi-user.target" ]; | |
77 | ||
78 | serviceConfig = { | |
79 | EnvironmentFile = config.secrets.fullPaths."naemon-status/environment"; | |
80 | Type = "simple"; | |
81 | WorkingDirectory = "${./status}"; | |
82 | ExecStart = let | |
83 | python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask p.flask_login ]); | |
84 | in | |
85 | "${python}/bin/gunicorn -w4 --bind unix:/run/naemon-status/socket.sock app:app"; | |
86 | User = "naemon"; | |
87 | RuntimeDirectory = "naemon-status"; | |
88 | StandardOutput = "journal"; | |
89 | StandardError = "inherit"; | |
90 | }; | |
91 | }; | |
92 | }; | |
93 | } |