Begin creating monitoring.kaareskovgaard.net

2025-07-11 12:40:45 +02:00 · 2025-07-11 12:40:45 +02:00 · 32ece6eb43
commit 32ece6eb43
parent c402ada8f7
4 changed files with 76 additions and 10 deletions
--- a/.forgejo/workflows/push.yaml
+++ b/.forgejo/workflows/push.yaml
@ -37,4 +37,4 @@ jobs:
      - run: |
          nix build --no-link '.#nixosConfigurations."desktop.kaareskovgaard.net".config.system.build.toplevel'
          nix build --no-link '.#nixosConfigurations."desktop.kaareskovgaard.net".config.system.build.vm'
-          nix build --no-link '.#nixosConfigurations."test.kaareskovgaard.net".config.system.build.toplevel'
+          nix build --no-link '.#nixosConfigurations."monitoring.kaareskovgaard.net".config.system.build.toplevel'
--- a/nix/modules/nixos/infrastructure/khs-openstack-instance/default.nix
+++ b/nix/modules/nixos/infrastructure/khs-openstack-instance/default.nix
@ -94,6 +94,13 @@ in
      description = "SSH key for the server (this only applies to the initial creation, deploying NixOS will render this key useless). Changing this will recreate the instance";
      default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw==";
    };
+    dns = {
+      mapIpv4Address = lib.mkEnableOption {
+        type = lib.types.bool;
+        description = "Also add the IPv4 address to DNS";
+        default = false;
+      };
+    };
    extraFirewallRules = lib.mkOption {
      type = lib.types.listOf lib.types.attrs;
      description = "Extra firewall rules added to the instance";
@ -140,7 +147,7 @@ in
                dns = {
                  enable = true;
                  zone_name = tldFromFqdn fqdn;
-                  aRecords = [
+                  aRecords = lib.mkIf cfg.dns.mapIpv4Address [
                    {
                      inherit fqdn;
                      content = config.khscodes.openstack.output.compute_instance.compute.ipv4_address;
--- a/nix/modules/nixos/services/nginx/default.nix
+++ b/nix/modules/nixos/services/nginx/default.nix
@ -50,7 +50,7 @@ let
        type = lib.types.attrsOf (
          lib.khscodes.mkSubmodule {
            description = "nginx virtual host location";
-            options = locationOptions;
+            options = locationOptions.options;
          }
        );
        default = { };
@ -62,10 +62,31 @@ let
    acc: name: item:
    acc || (item.acme != null && !lib.attrsets.isAttrs item.acme)
  ) false cfg.virtualHosts;
+  modernSslAppendedHttpConfig =
+    if cfg.sslConfiguration == "modern" then
+      ''
+        ssl_ecdh_curve X25519:prime256v1:secp384r1;
+      ''
+    else
+      '''';
 in
 {
  options.khscodes.services.nginx = {
    enable = lib.mkEnableOption "Enables nginx";
+    sslConfiguration = lib.mkOption {
+      type = lib.types.enum [
+        "modern"
+        "intermediate"
+      ];
+      description = ''
+        Which sort of ssl configuration following https://ssl-config.mozilla.org/#server=nginx&version=1.28.0&config=modern&openssl=3.4.1&guideline=5.7 as a baseline to generate.
+        The generated config is not guarenteed to follow this template specifically. In general, modern is preferred, intermediate should only be used if there's a specific reason to do so.
+        Do note that intermediate requires generating dhparams of large size, which can take hours to complete.
+
+        TODO: Look into OCSP stapling.
+      '';
+      default = "modern";
+    };
    virtualHosts = lib.mkOption {
      type = lib.types.attrsOf vhostOption;
      description = "Virtual hosts settings";
@ -80,17 +101,36 @@ in
      }
    ];
    khscodes.security.acme.enable = true;
-    security.dhparams.enable = true;
-    security.dhparams.params."nginx".bits = 4096;
+    security.dhparams.enable = lib.mkIf (cfg.sslConfiguration == "intermediate") {
+      enable = true;
+      params."nginx" = {
+        bits = 4096;
+      };
+    };
    services.nginx = {
      enable = true;
      package = lib.mkDefault pkgs.nginxStable;
-      sslDhparam = lib.mkDefault "${config.security.dhparams.params."nginx".path}";
+      sslDhparam = lib.mkIf (
+        cfg.sslConfiguration == "intermediate"
+      ) "${config.security.dhparams.params."nginx".path}"; # DHParams only used when using the ciphers of intermediate
+      sslProtocols = lib.mkIf (cfg.sslConfiguration == "modern") "TLSv1.3"; # The default matches intermediate
+      sslCiphers = lib.mkIf (cfg.sslConfiguration == "modern") null;
      recommendedTlsSettings = lib.mkDefault true;
      recommendedGzipSettings = lib.mkDefault true;
      recommendedOptimisation = lib.mkDefault true;
      recommendedZstdSettings = lib.mkDefault true;
      recommendedProxySettings = lib.mkDefault true;
+      appendHttpConfig = ''
+        map $scheme $hsts_header {
+          https "max-age=63072000; preload";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+
+        ${modernSslAppendedHttpConfig}
+      '';
      virtualHosts = lib.attrsets.mapAttrs (name: value: {
        inherit (value)
          extraConfig
--- a/nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix
+++ b/nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix
@ -1,9 +1,25 @@
 {
  inputs,
+  config,
  ...
 }:
+let
+  grafana = config.services.grafana;
+in
 {
  imports = [ "${inputs.self}/nix/profiles/nixos/khs-openstack-server.nix" ];
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        http_addr = "127.0.0.1";
+        http_port = 3000;
+        domain = "monitoring.kaareskovgaard.net";
+        root_url = "https://monitoring.kaareskovgaard.net";
+        serve_from_sub_path = false;
+      };
+    };
+  };
  khscodes = {
    infrastructure.khs-openstack-instance = {
      enable = true;
@ -11,9 +27,12 @@
    };
    services.nginx = {
      enable = true;
-      virtualHosts."test.kaareskovgaard.net" = {
-        globalRedirect = "khs.codes";
-        redirectCode = 302;
+      virtualHosts."monitoring.kaareskovgaard.net" = {
+        locations."/" = {
+          proxyPass = "http://${grafana.settings.server.http_addr}:${toString grafana.settings.server.http_port}";
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+        };
      };
    };
  };
@ -24,6 +43,6 @@
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw=="
    ];
  };
-  khscodes.networking.fqdn = "test.kaareskovgaard.net";
+  khscodes.networking.fqdn = "monitoring.kaareskovgaard.net";
  system.stateVersion = "25.05";
 }