51 lines
1.6 KiB
Nix
51 lines
1.6 KiB
Nix
{ config, pkgs, ...}:
|
|
let
|
|
domain = config.services.userdata.domain;
|
|
in
|
|
{
|
|
services.netdata = {
|
|
enable = true;
|
|
package = pkgs.netdata.override {
|
|
withCloud = false; # don't need Netdata Cloud integration
|
|
withSsl = false; # we proxy-pass via nginx, which does SSL
|
|
};
|
|
config = {
|
|
#global = {
|
|
# "default port" = 19191;
|
|
# "page cache size" = 96;
|
|
#};
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."${domain}" = {
|
|
#why not use "enableACME"?
|
|
#sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
|
#sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
|
|
|
#root = "/var/www/social.${domain}";
|
|
#forceSSL = true;
|
|
#extraConfig = ''
|
|
# add_header Strict-Transport-Security $hsts_header;
|
|
# #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
# add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
# add_header X-Frame-Options DENY;
|
|
# add_header X-Content-Type-Options nosniff;
|
|
# add_header X-XSS-Protection "1; mode=block";
|
|
# proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
|
# expires 10m;
|
|
#'';
|
|
locations = {
|
|
"/netdata/" = {
|
|
proxyPass = "http://127.0.0.1:19999/";
|
|
};
|
|
};
|
|
};
|
|
# TODO Netdata must communicate with nginx via unix domain socket as
|
|
# described here: https://learn.netdata.cloud/docs/configuring/securing-netdata-agents/reverse-proxies/nginx#limit-direct-access-to-netdata
|
|
|
|
systemd.services.netdata.serviceConfig = {
|
|
IPAddressDeny = "any";
|
|
IPAddressAllow = "localhost";
|
|
};
|
|
}
|