ildkule/loki: restrict incoming connections to pvv + ntnu

{ildkule/loki,base/fluentbit}: send data over https
ildkule/loki: firewall all endpoints except push API
2026-06-13 03:23:12 +09:00 · 2026-06-13 03:22:18 +09:00 · 2026-06-13 03:11:13 +09:00
2 changed files with 28 additions and 6 deletions
@@ -62,8 +62,10 @@ in
          name = "loki";
          match = "*";
-          host = "ildkule.pvv.ntnu.no";
+          host = "loki.pvv.ntnu.no";
-          port = 3100;
+          port = 443;
          tls = "on";
          "tls.verify" = "on";
          uri = "/loki/api/v1/push";
          compress = "gzip";
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, values, ... }:
 let
  cfg = config.services.loki;
@@ -9,8 +9,8 @@ in {
    configuration = {
      auth_enabled = false;
      server = {
-        http_listen_port = 3100;
+        http_listen_port = 31832;
-        http_listen_address = "0.0.0.0";
+        http_listen_address = "127.0.0.1";
        grpc_listen_port = 9096;
      };
@@ -81,5 +81,25 @@ in {
    };
  };
-  networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
+  services.nginx.virtualHosts."loki.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    kTLS = true;
    locations = {
      "/".return = "403";
      "/loki/api/v1/push" = {
        proxyPass = "http://${cfg.configuration.server.http_listen_address}:${toString cfg.configuration.server.http_listen_port}/loki/api/v1/push";
        extraConfig = ''
          allow 127.0.0.1;
          allow ::1;
          allow ${values.ipv4-space};
          allow ${values.ipv6-space};
          allow ${values.ntnu.ipv4-space};
          allow ${values.ntnu.ipv6-space};
          deny all;
        '';
      };
    };
  };
 }
Author	SHA1	Message	Date
oysteikt	34570c554b	ildkule/loki: restrict incoming connections to pvv + ntnu Eval nix flake / evals (push) Successful in 7m0s Details Eval nix flake / evals (pull_request) Successful in 9m4s Details	2026-06-13 03:23:12 +09:00
oysteikt	cd54eabe47	{ildkule/loki,base/fluentbit}: send data over https	2026-06-13 03:22:18 +09:00
adriangl	d8d2ed1a8f	ildkule/loki: firewall all endpoints except push API Co-authored-by: Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2026-06-13 03:11:13 +09:00