# Netdata Module
# Provides: Real-time system monitoring dashboard
#
# Usage:
#   myModules.netdata = {
#     enable = true;
#     domain = "netdata.example.com";
#   };
#
# Access is restricted to Tailscale network only via nginx internalOnly.

{
  config,
  lib,
  ...
}:

let
  cfg = config.myModules.netdata;
in
{
  options.myModules.netdata = {
    enable = lib.mkEnableOption "Netdata real-time monitoring";

    domain = lib.mkOption {
      type = lib.types.str;
      example = "netdata.example.com";
      description = "Public domain name for Netdata dashboard";
    };

    port = lib.mkOption {
      type = lib.types.port;
      default = 19999;
      description = "Internal port for Netdata to listen on";
    };
  };

  config = lib.mkIf cfg.enable {
    services.netdata = {
      enable = true;
      config = {
        global = {
          "bind to" = "0.0.0.0:${toString cfg.port}";
        };
      };
    };

    # Nginx reverse proxy - restricted to Tailscale network
    myModules.nginx.domains.${cfg.domain} = {
      port = cfg.port;
      internalOnly = true;
      contentSecurityPolicy = null;
    };
  };
}