From 891558aebfe987b73a397dcd51ccc07698511ded Mon Sep 17 00:00:00 2001
From: Kaare Hoff Skovgaard <kaare@kaareskovgaard.net>
Date: Fri, 11 Jul 2025 12:40:45 +0200
Subject: [PATCH] Begin creating monitoring.kaareskovgaard.net

Former-commit-id: 32ece6eb4325ae9d3f27a4dbd98cb7ffdd46af3b
---
 .forgejo/workflows/push.yaml                  |  2 +-
 .../khs-openstack-instance/default.nix        |  9 +++-
 nix/modules/nixos/services/nginx/default.nix  | 48 +++++++++++++++++--
 .../default.nix                               | 27 +++++++++--
 4 files changed, 76 insertions(+), 10 deletions(-)
 rename nix/systems/x86_64-linux/{test.kaareskovgaard.net => monitoring.kaareskovgaard.net}/default.nix (62%)

diff --git a/.forgejo/workflows/push.yaml b/.forgejo/workflows/push.yaml
index c222f25..5aedf95 100644
--- a/.forgejo/workflows/push.yaml
+++ b/.forgejo/workflows/push.yaml
@@ -37,4 +37,4 @@ jobs:
       - run: |
           nix build --no-link '.#nixosConfigurations."desktop.kaareskovgaard.net".config.system.build.toplevel'
           nix build --no-link '.#nixosConfigurations."desktop.kaareskovgaard.net".config.system.build.vm'
-          nix build --no-link '.#nixosConfigurations."test.kaareskovgaard.net".config.system.build.toplevel'
+          nix build --no-link '.#nixosConfigurations."monitoring.kaareskovgaard.net".config.system.build.toplevel'
diff --git a/nix/modules/nixos/infrastructure/khs-openstack-instance/default.nix b/nix/modules/nixos/infrastructure/khs-openstack-instance/default.nix
index 12d70a1..442a947 100644
--- a/nix/modules/nixos/infrastructure/khs-openstack-instance/default.nix
+++ b/nix/modules/nixos/infrastructure/khs-openstack-instance/default.nix
@@ -94,6 +94,13 @@ in
       description = "SSH key for the server (this only applies to the initial creation, deploying NixOS will render this key useless). Changing this will recreate the instance";
       default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw==";
     };
+    dns = {
+      mapIpv4Address = lib.mkEnableOption {
+        type = lib.types.bool;
+        description = "Also add the IPv4 address to DNS";
+        default = false;
+      };
+    };
     extraFirewallRules = lib.mkOption {
       type = lib.types.listOf lib.types.attrs;
       description = "Extra firewall rules added to the instance";
@@ -140,7 +147,7 @@ in
                 dns = {
                   enable = true;
                   zone_name = tldFromFqdn fqdn;
-                  aRecords = [
+                  aRecords = lib.mkIf cfg.dns.mapIpv4Address [
                     {
                       inherit fqdn;
                       content = config.khscodes.openstack.output.compute_instance.compute.ipv4_address;
diff --git a/nix/modules/nixos/services/nginx/default.nix b/nix/modules/nixos/services/nginx/default.nix
index ed07690..27b7297 100644
--- a/nix/modules/nixos/services/nginx/default.nix
+++ b/nix/modules/nixos/services/nginx/default.nix
@@ -50,7 +50,7 @@ let
         type = lib.types.attrsOf (
           lib.khscodes.mkSubmodule {
             description = "nginx virtual host location";
-            options = locationOptions;
+            options = locationOptions.options;
           }
         );
         default = { };
@@ -62,10 +62,31 @@ let
     acc: name: item:
     acc || (item.acme != null && !lib.attrsets.isAttrs item.acme)
   ) false cfg.virtualHosts;
+  modernSslAppendedHttpConfig =
+    if cfg.sslConfiguration == "modern" then
+      ''
+        ssl_ecdh_curve X25519:prime256v1:secp384r1;
+      ''
+    else
+      '''';
 in
 {
   options.khscodes.services.nginx = {
     enable = lib.mkEnableOption "Enables nginx";
+    sslConfiguration = lib.mkOption {
+      type = lib.types.enum [
+        "modern"
+        "intermediate"
+      ];
+      description = ''
+        Which sort of ssl configuration following https://ssl-config.mozilla.org/#server=nginx&version=1.28.0&config=modern&openssl=3.4.1&guideline=5.7 as a baseline to generate.
+        The generated config is not guarenteed to follow this template specifically. In general, modern is preferred, intermediate should only be used if there's a specific reason to do so.
+        Do note that intermediate requires generating dhparams of large size, which can take hours to complete.
+
+        TODO: Look into OCSP stapling.
+      '';
+      default = "modern";
+    };
     virtualHosts = lib.mkOption {
       type = lib.types.attrsOf vhostOption;
       description = "Virtual hosts settings";
@@ -80,17 +101,36 @@ in
       }
     ];
     khscodes.security.acme.enable = true;
-    security.dhparams.enable = true;
-    security.dhparams.params."nginx".bits = 4096;
+    security.dhparams.enable = lib.mkIf (cfg.sslConfiguration == "intermediate") {
+      enable = true;
+      params."nginx" = {
+        bits = 4096;
+      };
+    };
     services.nginx = {
       enable = true;
       package = lib.mkDefault pkgs.nginxStable;
-      sslDhparam = lib.mkDefault "${config.security.dhparams.params."nginx".path}";
+      sslDhparam = lib.mkIf (
+        cfg.sslConfiguration == "intermediate"
+      ) "${config.security.dhparams.params."nginx".path}"; # DHParams only used when using the ciphers of intermediate
+      sslProtocols = lib.mkIf (cfg.sslConfiguration == "modern") "TLSv1.3"; # The default matches intermediate
+      sslCiphers = lib.mkIf (cfg.sslConfiguration == "modern") null;
       recommendedTlsSettings = lib.mkDefault true;
       recommendedGzipSettings = lib.mkDefault true;
       recommendedOptimisation = lib.mkDefault true;
       recommendedZstdSettings = lib.mkDefault true;
       recommendedProxySettings = lib.mkDefault true;
+      appendHttpConfig = ''
+        map $scheme $hsts_header {
+          https "max-age=63072000; preload";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+
+        ${modernSslAppendedHttpConfig}
+      '';
       virtualHosts = lib.attrsets.mapAttrs (name: value: {
         inherit (value)
           extraConfig
diff --git a/nix/systems/x86_64-linux/test.kaareskovgaard.net/default.nix b/nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix
similarity index 62%
rename from nix/systems/x86_64-linux/test.kaareskovgaard.net/default.nix
rename to nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix
index 2e30925..5e86d67 100644
--- a/nix/systems/x86_64-linux/test.kaareskovgaard.net/default.nix
+++ b/nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix
@@ -1,9 +1,25 @@
 {
   inputs,
+  config,
   ...
 }:
+let
+  grafana = config.services.grafana;
+in
 {
   imports = [ "${inputs.self}/nix/profiles/nixos/khs-openstack-server.nix" ];
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        http_addr = "127.0.0.1";
+        http_port = 3000;
+        domain = "monitoring.kaareskovgaard.net";
+        root_url = "https://monitoring.kaareskovgaard.net";
+        serve_from_sub_path = false;
+      };
+    };
+  };
   khscodes = {
     infrastructure.khs-openstack-instance = {
       enable = true;
@@ -11,9 +27,12 @@
     };
     services.nginx = {
       enable = true;
-      virtualHosts."test.kaareskovgaard.net" = {
-        globalRedirect = "khs.codes";
-        redirectCode = 302;
+      virtualHosts."monitoring.kaareskovgaard.net" = {
+        locations."/" = {
+          proxyPass = "http://${grafana.settings.server.http_addr}:${toString grafana.settings.server.http_port}";
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+        };
       };
     };
   };
@@ -24,6 +43,6 @@
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw=="
     ];
   };
-  khscodes.networking.fqdn = "test.kaareskovgaard.net";
+  khscodes.networking.fqdn = "monitoring.kaareskovgaard.net";
   system.stateVersion = "25.05";
 }