From ec7ce08c8ce4ba94724eafe14e75b22de924745d Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@private.storage>
Date: Thu, 8 Jul 2021 14:17:31 +0000
Subject: [PATCH] Make Nginx reverse proxy reachable from outside

---
 nixos/modules/monitoring/server/grafana.nix | 27 ++++++++++++++++-----
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index d5724e71..4360965b 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -30,7 +30,8 @@ in {
   };
 
   config = {
-    # networking.firewall.allowedTCPPorts = [ 80 443 ];
+    # Port 80 for ACME ssl retrieval only. 443 for nginx -> grafana.
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     services.grafana = {
       enable = true;
@@ -67,11 +68,25 @@ in {
     };
 
     # nginx reverse proxy
-    services.nginx.enable = true;
-    services.nginx.virtualHosts.${config.services.grafana.domain} = {
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
-        proxyWebsockets = true;
+    services.nginx = {
+      enable = true;
+
+      # Yes, use the NixOS recommended settings:
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      # Only allow PFS-enabled ciphers with AES256:
+      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+      virtualHosts.${config.services.grafana.domain} = {
+        enableACME = true;
+        onlySSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+          proxyWebsockets = true;
+        };
       };
     };
   };
-- 
GitLab