From 2b4817b75ab3a7d3ca228bfbc73882fa482f43de Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Wed, 27 May 2026 23:33:45 +0900
Subject: [PATCH] ildkule/scrutiny: init

---
 hosts/ildkule/services/monitoring/default.nix |  1 +
 .../ildkule/services/monitoring/scrutiny.nix  | 40 +++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 hosts/ildkule/services/monitoring/scrutiny.nix

diff --git a/hosts/ildkule/services/monitoring/default.nix b/hosts/ildkule/services/monitoring/default.nix
index e68ef7a..56b44fe 100644
--- a/hosts/ildkule/services/monitoring/default.nix
+++ b/hosts/ildkule/services/monitoring/default.nix
@@ -5,6 +5,7 @@
     ./grafana.nix
     ./loki.nix
     ./prometheus
+    ./scrutiny.nix
     ./uptime-kuma.nix
   ];
 }
diff --git a/hosts/ildkule/services/monitoring/scrutiny.nix b/hosts/ildkule/services/monitoring/scrutiny.nix
new file mode 100644
index 0000000..8ba800b
--- /dev/null
+++ b/hosts/ildkule/services/monitoring/scrutiny.nix
@@ -0,0 +1,40 @@
+{ config, values, ... }:
+let
+  cfg = config.services.scrutiny;
+in
+{
+  services.scrutiny = {
+    enable = true;
+    settings = {
+      web.listen = {
+        host = "127.0.0.1";
+        port = 18293;
+        basepath = "";
+      };
+
+      # notify.urls = [
+      #   "matrix://username:password@host:port/[?rooms=!roomID1[,roomAlias2]]"
+      # ];
+    };
+  };
+
+  services.nginx.virtualHosts."scrutiny.pvv.ntnu.no" = {
+    kTLS = true;
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://${cfg.settings.web.listen.host}:${toString cfg.settings.web.listen.port}";
+    };
+
+    # TODO: allow website access to the outside world, but restrict input api
+    extraConfig = ''
+      allow ${values.hosts.ildkule.ipv4}/32;
+      allow ${values.hosts.ildkule.ipv6}/128;
+      allow 127.0.0.1/32;
+      allow ::1/128;
+      allow ${values.ipv4-space};
+      allow ${values.ipv6-space};
+      deny all;
+    '';
+  };
+}