selfprivacy-nixos-config/netdata.nix

{ config, pkgs, ...}:
let
  domain = config.services.userdata.domain;
in
{
  services.netdata = {
    enable = true;
    package = pkgs.netdata.override {
      withCloud = false; # don't need Netdata Cloud integration
      withSsl = false; # we proxy-pass via nginx, which does SSL
    };
    config = {
      #global = {
      #  "default port" = 19191;
      #  "page cache size" = 96;
      #};
    };
  };

  services.nginx.virtualHosts."${domain}" = {
    #why not use "enableACME"?
    #sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
    #sslCertificateKey = "/var/lib/acme/${domain}/key.pem";

    #root = "/var/www/social.${domain}";
    #forceSSL = true;
    #extraConfig = ''
    #  add_header Strict-Transport-Security $hsts_header;
    #  #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    #  add_header 'Referrer-Policy' 'origin-when-cross-origin';
    #  add_header X-Frame-Options DENY;
    #  add_header X-Content-Type-Options nosniff;
    #  add_header X-XSS-Protection "1; mode=block";
    #  proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    #  expires 10m;
    #'';
    locations = {
      "/netdata/" = {
        proxyPass = "http://127.0.0.1:19999/";
      };
    };
  };
  # TODO Netdata must communicate with nginx via unix domain socket as
  # described here: https://learn.netdata.cloud/docs/configuring/securing-netdata-agents/reverse-proxies/nginx#limit-direct-access-to-netdata

  systemd.services.netdata.serviceConfig = {
    IPAddressDeny = "any";
    IPAddressAllow = "localhost";
  };
}