infrastructure/roles/grafana/templates/nginx.d.conf.j2

upstream grafana {
    server localhost:3000;
}

map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
}

server {
    listen       80;
    listen       [::]:80;
    server_name  {{ grafana_domain }};

    access_log   /var/log/nginx/{{ grafana_domain }}/access.log reduced;
    access_log   /var/log/nginx/{{ grafana_domain }}/access.log.json json_reduced;
    error_log    /var/log/nginx/{{ grafana_domain }}/error.log;

    include snippets/letsencrypt.conf;

    location / {
        access_log off;
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  {{ grafana_domain }};

    access_log   /var/log/nginx/{{ grafana_domain }}/access.log main;
    access_log   /var/log/nginx/{{ grafana_domain }}/access.log.json json_main;
    error_log    /var/log/nginx/{{ grafana_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ grafana_domain }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ grafana_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ grafana_domain }}/chain.pem;

    root {{ grafana_domain }};

{% set proxy -%}
        proxy_pass http://grafana;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For      $remote_addr;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
{%- endset %}

    location / {
        {{ proxy }}
    }

    location = /metrics {
        if ($http_authorization != "Bearer {{ vault_grafana_metrics_token }}") {
            return 403;
        }
        {{ proxy }}
    }
}