X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fmonitoring%2Fstatus.nix;h=682f5df824e8623aa680861d42a43a05a03141a2;hb=b095e430437e9d4e5ce79280ab54347a07d7a5a7;hp=ed4d6812857eca914ef7d6213fe8185cd164525d;hpb=6e9f30f4c63fddc5ce886b26b7e4e9ca23a93111;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix
index ed4d681..682f5df 100644
--- a/modules/private/monitoring/status.nix
+++ b/modules/private/monitoring/status.nix
@@ -12,32 +12,56 @@
     };
   };
   config = lib.mkIf config.myServices.status.enable {
-    secrets.keys = [
-      {
-        dest = "naemon-status/environment";
-        user = "naemon";
-        group = "naemon";
-        permission = "0400";
-        text = ''
-          TOKENS=${builtins.concatStringsSep " " config.myEnv.monitoring.nrdp_tokens}
-          '';
-      }
-    ];
+    secrets.keys."naemon-status/environment" = {
+      user = "naemon";
+      group = "naemon";
+      permissions = "0400";
+      text = ''
+        TOKENS=${builtins.concatStringsSep " " config.myEnv.monitoring.nrdp_tokens}
+        '';
+    };
     services.nginx = {
       enable = true;
       recommendedOptimisation = true;
       recommendedGzipSettings = true;
       recommendedProxySettings = true;
+      upstreams."netdata".servers = { "127.0.0.1:19999" = {}; };
+      upstreams."netdata".extraConfig = ''
+        keepalive 64;
+        '';
       virtualHosts."status.immae.eu" = {
+        acmeRoot = config.myServices.certificates.webroot;
         useACMEHost = name;
         forceSSL = true;
         locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/";
+
+        locations."= /netdata".return = "301 /netdata/";
+        locations."~ /netdata/(?<ndpath>.*)".extraConfig = ''
+          proxy_redirect off;
+          proxy_set_header Host $host;
+
+          proxy_set_header X-Forwarded-Host $host;
+          proxy_set_header X-Forwarded-Server $host;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_http_version 1.1;
+          proxy_pass_request_headers on;
+          proxy_set_header Connection "keep-alive";
+          proxy_store off;
+          proxy_pass http://netdata/$ndpath$is_args$args;
+
+          gzip on;
+          gzip_proxied any;
+          gzip_types *;
+          '';
       };
     };
-    security.acme.certs."${name}".extraDomains."status.immae.eu" = null;
+    security.acme.certs."${name}" = {
+      extraDomainNames = [ "status.immae.eu" ];
+      group = config.services.nginx.group;
+    };
 
     myServices.certificates.enable = true;
-    networking.firewall.allowedTCPPorts = [ 80 443 18000 ];
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
     systemd.services.naemon-status = {
       description = "Naemon status";
       after = [ "network.target" ];
@@ -48,7 +72,7 @@
         Type = "simple";
         WorkingDirectory = "${./status}";
         ExecStart = let
-          python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask p.flask_login ]);
+          python = pkgs.python38.withPackages (p: [ p.gunicorn p.flask p.flask_login ]);
         in
           "${python}/bin/gunicorn -w4 --bind unix:/run/naemon-status/socket.sock app:app";
         User = "naemon";