From 1a64deeb894dc95e2645a75771732c6cc53a79ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Wed, 4 Oct 2023 01:35:06 +0200
Subject: Squash changes containing private information

There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository
---
 systems/monitoring-1/status.nix | 84 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100644 systems/monitoring-1/status.nix

(limited to 'systems/monitoring-1/status.nix')

diff --git a/systems/monitoring-1/status.nix b/systems/monitoring-1/status.nix
new file mode 100644
index 0000000..8b6615f
--- /dev/null
+++ b/systems/monitoring-1/status.nix
@@ -0,0 +1,84 @@
+{ config, pkgs, lib, name, ... }:
+{
+  options = {
+    myServices.status = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = ''
+          Whether to enable status app.
+        '';
+      };
+    };
+  };
+  config = lib.mkIf config.myServices.status.enable {
+    secrets.keys."naemon-status/environment" = {
+      user = "naemon";
+      group = "naemon";
+      permissions = "0400";
+      text = ''
+        TOKENS=${builtins.concatStringsSep " " config.myEnv.monitoring.nrdp_tokens}
+        '';
+    };
+    services.nginx = {
+      enable = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+      upstreams."netdata".servers = { "127.0.0.1:19999" = {}; };
+      upstreams."netdata".extraConfig = ''
+        keepalive 64;
+        '';
+      virtualHosts."status.immae.eu" = {
+        acmeRoot = config.security.acme.defaults.webroot;
+        useACMEHost = name;
+        forceSSL = true;
+        locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/";
+
+        locations."= /netdata".return = "301 /netdata/";
+        locations."~ /netdata/(?<ndpath>.*)".extraConfig = ''
+          proxy_redirect off;
+          proxy_set_header Host $host;
+
+          proxy_set_header X-Forwarded-Host $host;
+          proxy_set_header X-Forwarded-Server $host;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_http_version 1.1;
+          proxy_pass_request_headers on;
+          proxy_set_header Connection "keep-alive";
+          proxy_store off;
+          proxy_pass http://netdata/$ndpath$is_args$args;
+
+          gzip on;
+          gzip_proxied any;
+          gzip_types *;
+          '';
+      };
+    };
+    security.acme.certs."${name}" = {
+      extraDomainNames = [ "status.immae.eu" ];
+      group = config.services.nginx.group;
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+    systemd.services.naemon-status = {
+      description = "Naemon status";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        EnvironmentFile = config.secrets.fullPaths."naemon-status/environment";
+        Type = "simple";
+        WorkingDirectory = "${./status}";
+        ExecStart = let
+          python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask p.flask_login ]);
+        in
+          "${python}/bin/gunicorn -w4 --bind unix:/run/naemon-status/socket.sock app:app";
+        User = "naemon";
+        RuntimeDirectory = "naemon-status";
+        StandardOutput = "journal";
+        StandardError = "inherit";
+      };
+    };
+  };
+}
-- 
cgit v1.2.3