From da7a45c1c043d5c4ff4c454c4635f314e0566821 Mon Sep 17 00:00:00 2001
From: ashisgreat22 <dev@ashisgreat.xyz>
Date: Sat, 21 Mar 2026 16:15:44 +0000
Subject: [PATCH] feat(modules): add Netdata monitoring module

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 modules/netdata.nix | 55 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 modules/netdata.nix

diff --git a/modules/netdata.nix b/modules/netdata.nix
new file mode 100644
index 0000000..9084527
--- /dev/null
+++ b/modules/netdata.nix
@@ -0,0 +1,55 @@
+# Netdata Module
+# Provides: Real-time system monitoring dashboard
+#
+# Usage:
+#   myModules.netdata = {
+#     enable = true;
+#     domain = "netdata.example.com";
+#   };
+#
+# Access is restricted to Tailscale network only via nginx internalOnly.
+
+{
+  config,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.myModules.netdata;
+in
+{
+  options.myModules.netdata = {
+    enable = lib.mkEnableOption "Netdata real-time monitoring";
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      example = "netdata.example.com";
+      description = "Public domain name for Netdata dashboard";
+    };
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 19999;
+      description = "Internal port for Netdata to listen on";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.netdata = {
+      enable = true;
+      config = {
+        global = {
+          "bind to" = "0.0.0.0:${toString cfg.port}";
+        };
+      };
+    };
+
+    # Nginx reverse proxy - restricted to Tailscale network
+    myModules.nginx.domains.${cfg.domain} = {
+      port = cfg.port;
+      internalOnly = true;
+      contentSecurityPolicy = null;
+    };
+  };
+}
\ No newline at end of file