Drift/pvv-nixos-config
17
6
Fork 1
Code Issues Pull Requests 6 Actions Wiki Activity

loki: use https, limit endpoint exposure #144

Merged
oysteikt merged 3 commits from loki/disable-public-pprof into main 2026-06-21 18:23:35 +02:00
Conversation 11 Commits 3 Files Changed 2
+28 -6
adriangl commented 2026-06-12 13:33:57 +02:00
Owner
Copy Link
Copy Source
No description provided.
adriangl marked the pull request as work in progress 2026-06-12 13:34:44 +02:00
adriangl commented 2026-06-12 13:35:37 +02:00
Author
Owner
Copy Link
Copy Source

Hvorfor dro den inn radical committen.
ikke tid atm til å fikse.

Hvorfor dro den inn radical committen. ikke tid atm til å fikse.
felixalb reviewed 2026-06-12 14:43:15 +02:00
hosts/ildkule/services/monitoring/loki.nix Outdated
@@ -3,14 +3,15 @@
let
cfg = config.services.loki;
stateDir = "/data/monitoring/loki";
internalPort = 83100;
felixalb commented 2026-06-12 14:43:15 +02:00
Owner
Copy Link
Copy Source

Tror ikke du kan bruke portnummer over 65535

Tror ikke du kan bruke portnummer over 65535
oysteikt marked this conversation as resolved
oysteikt reviewed 2026-06-12 14:45:28 +02:00
hosts/bekkalokk/services/radicle.nix Outdated
@@ -0,0 +3,4 @@
domain = "dav.pvv.ntnu.no";
radicalePort = 5232;
in {
services.radicale = {
oysteikt commented 2026-06-12 14:45:28 +02:00
Owner
Copy Link
Copy Source

Hvordan havna radicale i pr-en?

Hvordan havna radicale i pr-en?
oysteikt marked this conversation as resolved
felixalb commented 2026-06-12 14:46:43 +02:00
Owner
Copy Link
Copy Source

Hvorfor dro den inn radical committen.
ikke tid atm til å fikse.

Den på main er 5f14c15679, den på branchen din er b592f0100a, de har forskjellig commitmelding og hash

> Hvorfor dro den inn radical committen. > ikke tid atm til å fikse. Den på main er https://git.pvv.ntnu.no/Drift/pvv-nixos-config/commit/5f14c15679647f9b5cf103573e5c7142602b1c0e, den på branchen din er https://git.pvv.ntnu.no/Drift/pvv-nixos-config/commit/b592f0100a73ae6113482074a9a77d8b55775ee9, de har forskjellig commitmelding og hash
oysteikt force-pushed loki/disable-public-pprof from 05589e7520 to 2805c5e78d 2026-06-12 16:32:51 +02:00 Compare
oysteikt commented 2026-06-12 16:33:28 +02:00
Owner
Copy Link
Copy Source

Tok meg friheten til å bare fikse litt, siden det er SOC issue

Tok meg friheten til å bare fikse litt, siden det er SOC issue
felixalb commented 2026-06-12 16:33:50 +02:00
Owner
Copy Link
Copy Source

identitetstyveri

identitetstyveri
felixalb commented 2026-06-12 16:48:02 +02:00
Owner
Copy Link
Copy Source

ja hehe :3

ja hehe :3
:huh: 1
oysteikt commented 2026-06-12 16:54:12 +02:00
Owner
Copy Link
Copy Source

Where did you find the suggestion to only expose this endpoint btw? Are we sure that we don't need any other endpoints like GET /ready?

https://grafana.com/docs/loki/latest/reference/loki-http-api/

Where did you find the suggestion to only expose this endpoint btw? Are we sure that we don't need any other endpoints like `GET /ready`? https://grafana.com/docs/loki/latest/reference/loki-http-api/
oysteikt commented 2026-06-12 16:55:03 +02:00
Owner
Copy Link
Copy Source

I suppose we could also firewall the nginx to only accept data from the pvv subnet in any case

I suppose we could also firewall the nginx to only accept data from the pvv subnet in any case
oysteikt commented 2026-06-12 19:43:32 +02:00
Owner
Copy Link
Copy Source

Need to change the host in the fluentbit log exporter to match the virtualhost.

I suppose we also don't have any loki exporters on the non-nixos machines, so no salt changes needed.

Need to change the host in the fluentbit log exporter to match the virtualhost. I suppose we also don't have any loki exporters on the non-nixos machines, so no salt changes needed.
oysteikt commented 2026-06-12 20:07:17 +02:00
Owner
Copy Link
Copy Source

also DNS for the virtual host...

also DNS for the virtual host...
oysteikt force-pushed loki/disable-public-pprof from 2805c5e78d to 34570c554b 2026-06-12 20:23:50 +02:00 Compare
oysteikt changed title from WIP: Loki/disable public pprof to loki: use https, limit endpoint exposure 2026-06-12 20:31:33 +02:00
oysteikt commented 2026-06-21 18:22:47 +02:00
Owner
Copy Link
Copy Source

Merging this so we can answer SOC, please fixup any wrongdoing in a later commit if there is any.

Merging this so we can answer SOC, please fixup any wrongdoing in a later commit if there is any.
oysteikt added 3 commits 2026-06-21 18:23:25 +02:00
ildkule/loki: firewall all endpoints except push API 6e37635aac 
Co-authored-by: Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
{ildkule/loki,base/fluentbit}: send data over https a1f02fc39d
ildkule/loki: restrict incoming connections to pvv + ntnu
Build topology graph / evals (push) Successful in 2m21s
Details
Eval nix flake / evals (pull_request) Successful in 7m17s
Details
Eval nix flake / evals (push) Successful in 8m58s
Details
3fee83ec05
oysteikt force-pushed loki/disable-public-pprof from 34570c554b to 3fee83ec05 2026-06-21 18:23:25 +02:00 Compare
oysteikt merged commit 3fee83ec05 into main 2026-06-21 18:23:35 +02:00
oysteikt deleted branch loki/disable-public-pprof 2026-06-21 18:23:36 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
felixalb
oysteikt
Labels
Clear labels
art
The issue needs someone to be creative
 backup
big
No, not bug, **big** - this is gonna take a while
 blocked
This issue/PR depends on one or more other issues/PRs
 bug
Something is not working, and it's not the shield hero
 comprehensive first issue
Do this as your first issue, and learn a lot of things
 crash report
Report an oopsie
 disputed
kranglefanter
 documentation
Documentation changes required
 duplicate
This issue or pull request already exists
 enhancement
New feature
 good first issue
Get your hands dirty with a new project here
 logging
networking
TTM4100
 nixos
Requires changes to our nixos setup
 question
More information is needed
 salt
Requires changes to our salt setup
 security
Skommel
 servers n' hardware
Regards hardware, servers or VMs
 simple first issue
Done in nix no time
 wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
adriangl (Adrian Gunnar Lauterer) albertba (Albert Bayazidi) alfhj (Alf Helge Jakobsen) amalieem (Amalie Erdal Mansaker) bjornoka (Bjornar Orjansen Kaarevik) chrisfjo (Christian Fredrik Johnsen) chrivi (Christoffer Viken) danio (Daniel Lovbrotte Olsen) davidk (David Kaasen) dungby (Dung-Bai Yen) eirikwit (Eirik Witterso) felixalb (Felix Albrigtsen) frero (Fredrik Robertsen) jonmro (Jon Martinus Rodtang) jovre (Jo Vassbotn Remvik) karolds (Karoline Dyve Samuelsen) knuta (Knut Auvor Grythe) krisleri (Kristoffer Longva Eriksen) larshhan (Lars Halvor Hansen) olived (Oliver Didriksen-Kolstad) oysteikt (Oystein Kristoffer Tveit) pederbs (Peder Bergebakken Sundt) root (rot) torsteno (Torstein Nordgård-Hansen) vegardbm (Vegard Bieker Matthey) yorinad (Yorin Anne De Jong)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Drift/pvv-nixos-config#144
Delete Branch "loki/disable-public-pprof"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?