feat(sterni/ingeborg/monitoring): expose netdata via nginx r/8937

Change-Id: Iea81625180526a36f8646539e8da0ccdaed79d43
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12804
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI

3 files changed, 37 insertions, 1 deletions

diff --git a/users/sterni/machines/ingeborg/monitoring.nix b/users/sterni/machines/ingeborg/monitoring.nix
index f4a347047130..58e814731a3e 100644
--- a/users/sterni/machines/ingeborg/monitoring.nix
+++ b/users/sterni/machines/ingeborg/monitoring.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, depot, ... }:
 
 let
   ircChannel = "#sterni.lv";
@@ -136,6 +136,34 @@ in
           };
         };
       };
+
+      # https://learn.netdata.cloud/docs/netdata-agent/configuration/running-the-netdata-agent-behind-a-reverse-proxy/nginx
+      nginx.virtualHosts."monitoring.sterni.lv" = {
+        forceSSL = true;
+        enableACME = true;
+        extraConfig = ''
+          auth_basic "netdata";
+          auth_basic_user_file ${config.age.secretsDir}/netdata-htpasswd;
+
+          location / {
+            proxy_set_header X-Forwarded-Host $host;
+            proxy_set_header X-Forwarded-Server $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_pass http://127.0.0.1:${toString netdataPort};
+            proxy_http_version 1.1;
+            proxy_pass_request_headers on;
+            proxy_set_header Connection "keep-alive";
+            proxy_store off;
+          }
+        '';
+      };
+    };
+
+    age.secrets.netdata-htpasswd = {
+      file = depot.users.sterni.secrets."netdata-htpasswd.age";
+      inherit (config.services.nginx) group;
+      owner = config.services.nginx.user;
+      mode = "700";
     };
   };
 }
diff --git a/users/sterni/secrets/netdata-htpasswd.age b/users/sterni/secrets/netdata-htpasswd.age
new file mode 100644
index 000000000000..3e13a74bf7da
--- /dev/null
+++ b/users/sterni/secrets/netdata-htpasswd.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 aXKGcg 7NJ/tDM/OcSOfQPYDTCtanHGSx0S4Awh46yVd6En+gM
+6EVvqfDHsozsS85uAUz7wkYWXR0/Q2OETPSRVlMQ7F4
+-> ssh-ed25519 OaL1CA oqGrI9yqsDCrzQ8Axz3TX2ebbzWhYSCojYLMlOxl/Eo
++tgAb1bkK1TdoHesJu2Ui8VMSMNLtA5U5/ia+Ntruas
+--- 8Th6voNgkxciDPXDn6vVFemwZNNTukp40sriXYDRS5E
+dÀ¥×ÿ6šÅ+ƒéâØ©¼‚;¡Ñ´ 6 í7N:bQƒ˜†d‹—˯åù	NÅ	‘öý-2žö\ÎG‚³aºä	KÇc§¢á¬Ùü
\ No newline at end of file
diff --git a/users/sterni/secrets/secrets.nix b/users/sterni/secrets/secrets.nix
index 7132fbf8f3a6..469f57ed999b 100644
--- a/users/sterni/secrets/secrets.nix
+++ b/users/sterni/secrets/secrets.nix
@@ -12,4 +12,5 @@ in
   "warteraum-salt.age".publicKeys = nonremote ++ ingeborg;
   "warteraum-tokens.age".publicKeys = nonremote ++ ingeborg;
   "minecraft-rcon.age".publicKeys = nonremote ++ ingeborg;
+  "netdata-htpasswd.age".publicKeys = nonremote ++ ingeborg;
 }