From eac7803895890b42fb8235bf85f1927de38e3810 Mon Sep 17 00:00:00 2001
From: sid <sid@sid.ovh>
Date: Fri, 22 May 2026 21:17:28 +0200
Subject: [PATCH 1/3] netdata: ui should only be reachable inside tailnet

---
 hosts/sid/services/netdata.nix | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/hosts/sid/services/netdata.nix b/hosts/sid/services/netdata.nix
index b69a02b..046f2eb 100644
--- a/hosts/sid/services/netdata.nix
+++ b/hosts/sid/services/netdata.nix
@@ -55,20 +55,21 @@ in
     NETDATA_USER_CONFIG_DIR = "/etc/netdata/conf.d";
   };
 
-  services.nginx.virtualHosts."${constants.services.netdata.fqdn}" = {
-    enableACME = true;
-    forceSSL = true;
-
-    locations."/" = {
-      root = netdata-dashboard;
-      tryFiles = "$uri $uri/ /index.html";
-    };
-
-    locations."~ ^/(api|v[0-9]+|netdata.conf|registry|stream|version.txt)(/|$)" = {
-      proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}";
-      recommendedProxySettings = true;
-    };
-  };
+  # TODO: move into Tailnet
+  # services.nginx.virtualHosts."${constants.services.netdata.fqdn}" = {
+  #   enableACME = true;
+  #   forceSSL = true;
+  #
+  #   locations."/" = {
+  #     root = netdata-dashboard;
+  #     tryFiles = "$uri $uri/ /index.html";
+  #   };
+  #
+  #   locations."~ ^/(api|v[0-9]+|netdata.conf|registry|stream|version.txt)(/|$)" = {
+  #     proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}";
+  #     recommendedProxySettings = true;
+  #   };
+  # };
 
   services.journald.storage = "persistent";
 

From 84d04fa1ad97716f2433f1acd23aee5628e3ef92 Mon Sep 17 00:00:00 2001
From: sid <sid@sid.ovh>
Date: Fri, 22 May 2026 21:23:54 +0200
Subject: [PATCH 2/3] netdata: make ui available in tailnet

---
 hosts/sid/secrets/secrets.yaml |  5 ++--
 hosts/sid/services/netdata.nix | 51 ++++++++++++++++++++++++----------
 2 files changed, 39 insertions(+), 17 deletions(-)

diff --git a/hosts/sid/secrets/secrets.yaml b/hosts/sid/secrets/secrets.yaml
index 8fb0e4a..f94edbf 100644
--- a/hosts/sid/secrets/secrets.yaml
+++ b/hosts/sid/secrets/secrets.yaml
@@ -35,6 +35,7 @@ radicale:
 step-ca:
     password: ENC[AES256_GCM,data:8/6NA3WpII0LmDOp5ISnHKeaXn5LM4gpiI47JTso23c=,iv:fi2eMGG1lOwdK5+98Hp7vZ101GKRip5Xgq9k+vnC9yI=,tag:oENvvsEbKSHFfLoXcJlPkg==,type:str]
     intermediate-key: ENC[AES256_GCM,data:yGZLSd7ydx9wNFpWWPcyUBwZQZbyziGleCWSxurFniBCauw2h4hcPc4c4I/7cjl1vRUv41WfzWu1PtXnZ3lNHOC6tTbiikHFBgGiHk2Lhddx+NESUWmgNiejJR/UDW4T25W9OHxwLCV9pmHf4fjyT/REymGIB7kbcRryWqcWtoZWYaL7JooJornm5mMU1Be+MCfxusTGQA4gQsT5/bu20iEGPwgY3fEgZLQWzKFI2kD2lYlMC8CRxoZO32uTizzooW1+zKng1qSZ7aobFJsbSKRYpYDv9Vvfwltcczb+xo+yZL3pfoEiqAxPzeG/48lRVNf1nftM5esBRGIIPr9BV9+7fbe5DFbSRDtAWspEnp9R5ENj1rbNint/fjCcStg3OfFMdv6N8cQyIpQyHCiBLiG4z+xyFcn0iW4=,iv:BhUoeaoetI5vJk9wOHhBI2ebHWCPeXz8U2ta/xEeUxM=,tag:7xg5ilOSJP1rFlSmmZVZUg==,type:str]
+hetzner-api-key: ENC[AES256_GCM,data:NhgWjitvgJrcBEDSkZH0S0VmaW37NupkiEUcQDZe/6oYyrE/VgEwrGSag/s2Fgv6uHmSsdbv1vqdc0iDO8GJ8w==,iv:ChEicL0jtjQrgn8CCUnrzErRr3YVdDhMbvcIlI3t7H8=,tag:cjjbEEYqEyNa5qDZCytjxw==,type:str]
 sops:
     age:
         - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
@@ -55,7 +56,7 @@ sops:
             RzhnczA0S1pxcXZncGpWVHNYQW96L28K+ytH3PPyg4+wibpAQhp02RiSfZ83EDRB
             UJ8UV1d+51D0e2A1sI95r2AzDj4jfwUnI+LYDPC/qEpsu5LFLGVyeg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-02T17:10:22Z"
-    mac: ENC[AES256_GCM,data:f4KQ26/zvg2nLLeW5qVeI8uH2GmPpJUKohNu68nEiIjP5AT53zjBaGoLOTGl9+oVRomSOGZtLGkJGaExB6tLMon5HN6xkQbugqvq08UkZ7FnR1Sa8/OtTr/+eexPNzF8VSdZE2TZCboUSQODV8+0Cy5T918g5kedxnT62SyY4As=,iv:P4TnpJvHwnZPl7kRNjv9d1WLZP9J0sg6R3KbdDMJqyc=,tag:ylYOcg6825jT29lWUaFRYA==,type:str]
+    lastmodified: "2026-05-22T19:19:21Z"
+    mac: ENC[AES256_GCM,data:hOtmWizEaIcybM14UEDsXw4GNQZob5SoFn49bWeccxA3dkGlYl67kVkDJGg0cQIO1qr/vGcZ8h/OmnOxU3geP0DaflG0h1/40lDQ3+E6BTb6HP2JmhgEmlRBRBdv87cRDHnDytBzcWARTvff3SsP2J2pLpLBTDiihlaZaiQYtgU=,iv:TvFpvcTydXO3fbh5x9ZXIOtMChlE7WXl2Xx2a9ujh00=,tag:XHvsZh6r9fzbbYFWWQyI5g==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1
diff --git a/hosts/sid/services/netdata.nix b/hosts/sid/services/netdata.nix
index 046f2eb..fbfa89d 100644
--- a/hosts/sid/services/netdata.nix
+++ b/hosts/sid/services/netdata.nix
@@ -55,21 +55,36 @@ in
     NETDATA_USER_CONFIG_DIR = "/etc/netdata/conf.d";
   };
 
-  # TODO: move into Tailnet
-  # services.nginx.virtualHosts."${constants.services.netdata.fqdn}" = {
-  #   enableACME = true;
-  #   forceSSL = true;
-  #
-  #   locations."/" = {
-  #     root = netdata-dashboard;
-  #     tryFiles = "$uri $uri/ /index.html";
-  #   };
-  #
-  #   locations."~ ^/(api|v[0-9]+|netdata.conf|registry|stream|version.txt)(/|$)" = {
-  #     proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}";
-  #     recommendedProxySettings = true;
-  #   };
-  # };
+  services.nginx.virtualHosts."${constants.services.netdata.fqdn}" = {
+    useACMEHost = constants.services.netdata.fqdn;
+    forceSSL = true;
+    listen = [
+      {
+        addr = "${constants.hosts.sid.ip}:443";
+        ssl = true;
+      }
+    ];
+
+    locations."/" = {
+      root = netdata-dashboard;
+      tryFiles = "$uri $uri/ /index.html";
+    };
+
+    locations."~ ^/(api|v[0-9]+|netdata.conf|registry|stream|version.txt)(/|$)" = {
+      proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}";
+      recommendedProxySettings = true;
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    certs."${constants.services.netdata.fqdn}" = {
+      domain = constants.services.netdata.fqdn;
+      dnsProvider = "hetzner";
+      credentialFiles.HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
+      group = "nginx";
+    };
+  };
 
   services.journald.storage = "persistent";
 
@@ -83,6 +98,12 @@ in
       restartUnits = [ "netdata.service" ];
     in
     {
+      secrets.hetzner-api-key = {
+        inherit mode;
+        owner = "acme";
+        group = "acme";
+      };
+
       secrets."netdata/stream/rx4/uuid" = {
         inherit
           owner

From 68412567057655cd017c927c812c358965f3c468 Mon Sep 17 00:00:00 2001
From: sid <sid@sid.ovh>
Date: Fri, 22 May 2026 21:27:58 +0200
Subject: [PATCH 3/3] netdata: override acme host defaults

---
 hosts/sid/services/netdata.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/sid/services/netdata.nix b/hosts/sid/services/netdata.nix
index fbfa89d..5b02855 100644
--- a/hosts/sid/services/netdata.nix
+++ b/hosts/sid/services/netdata.nix
@@ -80,6 +80,7 @@ in
     acceptTerms = true;
     certs."${constants.services.netdata.fqdn}" = {
       domain = constants.services.netdata.fqdn;
+      webroot = lib.mkForce null;
       dnsProvider = "hetzner";
       credentialFiles.HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
       group = "nginx";