ildkule/loki: restrict incoming connections to pvv + ntnu

{ildkule/loki,base/fluentbit}: send data over https
ildkule/loki: firewall all endpoints except push API
2026-06-13 03:23:12 +09:00 · 2026-06-13 03:22:18 +09:00 · 2026-06-13 03:11:13 +09:00
9 changed files with 38 additions and 39 deletions
@@ -95,10 +95,6 @@
    AllowHibernation = lib.mkDefault false;
  };

-  systemd.slices."system-monitoring" = {
-    description = "Monitoring related services";
-  };
-
  # users.mutableUsers = lib.mkDefault false;

  users.groups."drift".name = "drift";
@@ -62,8 +62,10 @@ in
          name = "loki";
          match = "*";

-          host = "ildkule.pvv.ntnu.no";
-          port = 3100;
+          host = "loki.pvv.ntnu.no";
+          port = 443;
+          tls = "on";
+          "tls.verify" = "on";
          uri = "/loki/api/v1/push";
          compress = "gzip";

@@ -88,7 +90,6 @@ in

  systemd.services.fluent-bit = lib.mkIf cfg.enable {
    serviceConfig = {
-      Slice = "system-monitoring.slice";
      StateDirectory = "fluent-bit";

      # NOTE: This hardening might be way too strong for general purpose use, don't upstream this.
@@ -14,7 +14,6 @@ in
  };

  systemd.services."systemd-journal-upload".serviceConfig = lib.mkIf cfg.enable {
-    Slice = "system-monitoring.slice";
    IPAddressDeny = "any";
    IPAddressAllow = [
      values.hosts.ildkule.ipv4
@@ -10,7 +10,7 @@ in
    enabledCollectors = [ "systemd" ];
  };

-  services.nginx = lib.mkIf cfg.enable {
+  services.nginx = {
    enable = lib.mkDefault true;

    virtualHosts.${config.networking.fqdn} = lib.mkIf config.services.nginx.enable {
@@ -31,8 +31,4 @@ in
      };
    };
  };
-
-  systemd.services = lib.mkIf cfg.enable {
-    "prometheus-node-exporter".serviceConfig.Slice = "system-monitoring.slice";
-  };
 }
@@ -13,7 +13,7 @@ in
    ];
  };

-  services.nginx = lib.mkIf cfg.enable {
+  services.nginx = {
    enable = lib.mkDefault true;

    virtualHosts.${config.networking.fqdn} = lib.mkIf config.services.nginx.enable {
@@ -34,8 +34,4 @@ in
      };
    };
  };
-
-  systemd.services = lib.mkIf cfg.enable {
-    "prometheus-systemd-exporter".serviceConfig.Slice = "system-monitoring.slice";
-  };
 }
@@ -1,20 +1,13 @@
-{ config, lib, ... }:
-let
-  cfg = config.services.rsyslogd;
-in
+{ ... }:
 {
  services.rsyslogd = {
-    enable = lib.mkDefault true;
+    enable = true;
    defaultConfig = ''
      *.* @loghost.pvv.ntnu.no
    '';
  };

-  services.journald.extraConfig = lib.mkIf cfg.enable ''
+  services.journald.extraConfig = ''
    ForwardToSyslog=yes
  '';
-
-  systemd.services = lib.mkIf cfg.enable {
-    "syslog".serviceConfig.Slice = "system-monitoring.slice";
-  };
 }
@@ -23,7 +23,7 @@ in
      };
    };

-    systemd.services.uptimed = lib.mkIf cfg.enable {
+    systemd.services.uptimed = lib.mkIf (cfg.enable) {
      serviceConfig = let
        uptimed = pkgs.uptimed.overrideAttrs (prev: {
          postPatch = ''
@@ -35,8 +35,6 @@ in
        });

      in {
-        Slice = "system-monitoring.slice";
-
        Type = "notify";

        ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
@@ -379,11 +379,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1781362709,
-        "narHash": "sha256-zTzLvvtRdOKKcQMWydoZuduj9fwwkYRfB1RBzKegwHM=",
+        "lastModified": 1779903528,
+        "narHash": "sha256-4rajaHeBeQ4PjbNSpslE9G3A5mZM1J/64ls+VoufWZo=",
        "ref": "main",
-        "rev": "5fb08a462263e5a8d742ecd93e559e534d5c3af2",
-        "revCount": 586,
+        "rev": "bba7413a1c611d4918fbef4d3aa55e465ca3f3fb",
+        "revCount": 585,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, values, ... }:

 let
  cfg = config.services.loki;
@@ -9,8 +9,8 @@ in {
    configuration = {
      auth_enabled = false;
      server = {
-        http_listen_port = 3100;
-        http_listen_address = "0.0.0.0";
+        http_listen_port = 31832;
+        http_listen_address = "127.0.0.1";
        grpc_listen_port = 9096;
      };

@@ -81,5 +81,25 @@ in {
    };
  };

-  networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
+  services.nginx.virtualHosts."loki.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    kTLS = true;
+
+    locations = {
+      "/".return = "403";
+      "/loki/api/v1/push" = {
+        proxyPass = "http://${cfg.configuration.server.http_listen_address}:${toString cfg.configuration.server.http_listen_port}/loki/api/v1/push";
+        extraConfig = ''
+          allow 127.0.0.1;
+          allow ::1;
+          allow ${values.ipv4-space};
+          allow ${values.ipv6-space};
+          allow ${values.ntnu.ipv4-space};
+          allow ${values.ntnu.ipv6-space};
+          deny all;
+        '';
+      };
+    };
+  };
 }
Author	SHA1	Message	Date
oysteikt	34570c554b	ildkule/loki: restrict incoming connections to pvv + ntnu Eval nix flake / evals (push) Successful in 7m0s Details Eval nix flake / evals (pull_request) Successful in 9m4s Details	2026-06-13 03:23:12 +09:00
oysteikt	cd54eabe47	{ildkule/loki,base/fluentbit}: send data over https	2026-06-13 03:22:18 +09:00
adriangl	d8d2ed1a8f	ildkule/loki: firewall all endpoints except push API Co-authored-by: Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2026-06-13 03:11:13 +09:00