From a69ff294703079c6327d3f4926b9e83169862524 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Fri, 4 Aug 2023 10:06:44 +0000
Subject: [PATCH] Add grafana

---
 machines/raven/services/default.nix |  1 +
 machines/raven/services/grafana.nix | 28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 machines/raven/services/grafana.nix

diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix
index a26ab2d..f368970 100644
--- a/machines/raven/services/default.nix
+++ b/machines/raven/services/default.nix
@@ -5,6 +5,7 @@
     ./dnsmasq.nix
     ./dyndns.nix
     ./freeradius.nix
+    ./grafana.nix
     ./labsync
     ./unifi-controller.nix
     ./wekan.nix
diff --git a/machines/raven/services/grafana.nix b/machines/raven/services/grafana.nix
new file mode 100644
index 0000000..29558c2
--- /dev/null
+++ b/machines/raven/services/grafana.nix
@@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+
+let
+  domain = "grafana.fablab-nea.de";
+  srv = config.services.grafana.settings.server;
+in
+{
+  services.grafana = {
+    enable = true;
+    settings.server.domain = domain;
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://${srv.http_addr}:${toString srv.http_port}";
+      recommendedProxySettings = true;
+    };
+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-XSS-Protection "1; mode=block";
+      add_header X-Content-Type-Options "nosniff";
+    '';
+  };
+}