Add firewalling to metric exporters

2023-01-17 10:30:20 +01:00 · 2023-01-17 10:30:20 +01:00 · 96b6dee404
parent e4cb215d39
commit 96b6dee404
2 changed files with 15 additions and 2 deletions
--- a/hosts/jokum/services/matrix/synapse.nix
+++ b/hosts/jokum/services/matrix/synapse.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, values, ... }:

 let
  cfg = config.services.matrix-synapse-next;
@ -190,6 +190,10 @@ in {
  ({
    locations."/metrics/master/1" = {
      proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
+      extraConfig = ''
+        allow ${values.ildkule.ipv4};
+        deny all;
+      '';
    };

    locations."/metrics/" = let
@ -209,6 +213,10 @@ in {
          { targets = endpoints;
            labels = { };
          }]) + "/";
+      extraConfig = ''
+        allow ${values.ildkule.ipv4};
+        deny all;
+      '';
    };
  })];
 }
--- a/misc/metrics-exporters.nix
+++ b/misc/metrics-exporters.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, values, ... }:

 {
  services.prometheus.exporters.node = {
@ -7,6 +7,11 @@
    enabledCollectors = [ "systemd" ];
  };

+  systemd.services.prometheus-node-exporter.serviceConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = values.ildkule.ipv4;
+  };
+
  services.promtail = {
    enable = true;
    configuration = {