infrastructure/machines/core-services-01/monitoring.nix

{ config, pkgs, ... }:
let
  my = config.my;
  realm = "ClubReseau";
in
{
  services.netdata.enable = true;

  systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [
    "netdata"
    "stream"
    "health_alarm_notify"
  ];

  environment.etc."netdata/netdata.conf" = {
    user = "netdata";
    group = "netdata";
    mode = "0600";
    text = ''
      [global]
      page cache size = 32
      dbengine multihost disk space = 23058
    '';
  };

  environment.etc."netdata/stream.conf" = {
    user = "netdata";
    group = "netdata";
    mode = "0600";
    text = ''
      # pve01 hypervisor
      [e245097d-bf52-4f66-9c10-984e8d5ee178]
        enabled = yes
        default history = 10000
        default memory mode = dbengine
        health enabled by default = auto
        allow from = 10.1.1.10
      # public-cof server
      [c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe]
        enabled = yes
        default history = 10000
        default memory mode = dbengine
        health enabled by default = auto
        allow from = 10.1.1.21
    '';
  };

  environment.etc."netdata/health_alarm_notify.conf" = {
    user = "netdata";
    group = "netdata";
    mode = "0600";
    text = ''
      # External tools
      nc="${pkgs.netcat}/bin/nc"

      # IRC configuration
      SEND_IRC="YES"
      DEFAULT_RECIPIENT_IRC="#réseau"
      IRC_NETWORK="ens.wtf"
      IRC_NICKNAME="core-services-01"
      IRC_REALNAME="KlubRZ Core Services 01"
    '';
  };

  services.oauth2_proxy = {
    enable = true;
    keyFile = config.age.secrets.oauth2ProxyKeyFile.path;
    provider = "keycloak";
    email.domains = [ "*" ];
    setXauthrequest = true;
    scope = "profile";
    loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth";
    redeemURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/token";
    profileURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo";
    validateURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo";
    redirectURL = "https://monitoring.${my.subZone}/oauth2/callback";
    reverseProxy = true;
    passHostHeader = true;

    nginx = {
      virtualHosts = [ "monitoring.${my.subZone}" ];
    };
  };

  services.nginx = {
    enable = true;

    virtualHosts."monitoring.${my.subZone}" = {
      enableACME = true;
      forceSSL = true;

      locations."/".proxyPass = "http://localhost:19999";
    };
  };

  # services.smartd = {
  #   enable = true;
  #   extraOptions = [ "-A /var/log/smartd/" ]; # For netdata
  # };
}