Apply security hardening for grafana

Signed-off-by: Joonas Rautiola <joonas.rautiola@unikie.com>
tiiuae · Jul 29, 2024 · 4afac10 · 4afac10
1 parent 4fb413d
commit 4afac10
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/hosts/ghaf-log/configuration.nix b/hosts/ghaf-log/configuration.nix
@@ -73,13 +73,23 @@
       server = {
         http_port = 3000;
         http_addr = "127.0.0.1";
+        domain = "ghaflogs.vedenemo.dev";
+        enforce_domain = true;
       };
 
       # disable telemetry
       analytics = {
         reporting_enabled = false;
         feedback_links_enabled = false;
       };
+
+      # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-security-hardening
+      security = {
+        cookie_secure = true;
+        cookie_samesite = "strict";
+        login_cookie_name = "__Host-grafana_session";
+        strict_transport_security = true;
+      };
     };
 
     provision.datasources.settings.datasources = [
@@ -99,7 +109,7 @@
 
   services.nginx = {
     virtualHosts = {
-      "ghaflogs.vedenemo.dev" = {
+      "${config.services.grafana.settings.server.domain}" = {
         enableACME = true;
         forceSSL = true;
         default = true;
@@ -108,7 +118,8 @@
           proxyWebsockets = true;
         };
       };
-      "loki.ghaflogs.vedenemo.dev" = {
+
+      "loki.${config.services.grafana.settings.server.domain}" = {
         enableACME = true;
         forceSSL = true;
         basicAuthFile = config.sops.secrets.loki_basic_auth.path;