diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 5cec1c4a9dc07f297abab049790dbf970388c91b..da3eed73e59349b4faaf64ebb32c067e952917ae 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -189,7 +189,7 @@ in {
extraGroups = [ "keys" ];
};
- # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
+ # Open 80 and 443 for nginx
networking.firewall.allowedTCPPorts = [
80
443
diff --git a/nixos/modules/spending.nix b/nixos/modules/spending.nix
index 238fbe8f939c4ddb0c78b9a34e106dbea8e39921..325dd147012b7844a8cb0b4b7071c4cd2cd88f28 100644
--- a/nixos/modules/spending.nix
+++ b/nixos/modules/spending.nix
@@ -127,6 +127,16 @@ in
# Want a regex instead? try locations."~ /v\d+/"
proxyPass = "http://unix:${cfg.unixSocket}";
};
+ locations."/metrics" = {
+ proxyPass = "http://unix:${cfg.unixSocket}";
+ # Only allow our monitoringvpn subnet
+ extraConfig = ''
+ allow 172.23.23.0/24;
+ allow 127.0.0.1;
+ allow ::1;
+ deny all;
+ '';
+ };
locations."/" = {
# Return a 404 error for any paths not specified above.
extraConfig = ''
@@ -135,5 +145,11 @@ in
};
};
};
+
+ # Open 80 and 443 for nginx
+ networking.firewall.allowedTCPPorts = [
+ 80
+ 443
+ ];
};
}
diff --git a/nixos/pkgs/zkap-spending-service/repo.json b/nixos/pkgs/zkap-spending-service/repo.json
index 39aeb8404c890e4781ee77f2a93d85d68acee5c3..69f7a30053de661f2c7829384e9496e49077cfd9 100644
--- a/nixos/pkgs/zkap-spending-service/repo.json
+++ b/nixos/pkgs/zkap-spending-service/repo.json
@@ -1,9 +1,9 @@
{
"owner": "privatestorage",
"repo": "zkap-spending-service",
- "rev": "e0d63b79213d16f2de6629167ea8f1236ba22e14",
+ "rev": "cbf7509f429ffd6e6cf37a73e4ff84a9c5ce1141",
"branch": "main",
"domain": "whetstone.privatestorage.io",
- "outputHash": "30abb0g9xxn4lp493kj5wmz8kj5q2iqvw40m8llqvb3zamx60gd8cy451ii7z15qbrbx9xmjdfw0k4gviij46fkx1s8nbich5c8qx57",
+ "outputHash": "04g7pcykc2525cg3z7wg5834s7vqn82xaqjvf52l6dnxv3mb9xr93kk505dvxcwhgfbqpim5i479s9kqd8gi7q3lq5wn5fq7rf7lkrj",
"outputHashAlgo": "sha512"
}
diff --git a/nixos/tests/spending.nix b/nixos/tests/spending.nix
index c970157b9375e0d99e2be8d4f782992163a6c948..8500471a58ff3f447e03ec1bf9005ff626169113 100644
--- a/nixos/tests/spending.nix
+++ b/nixos/tests/spending.nix
@@ -11,10 +11,14 @@
services.private-storage-spending.enable = true;
services.private-storage-spending.domain = "localhost";
};
+ external = { ... }: {
+ # A node that has no particular configuration, for testing access rules
+ # for external hosts.
+ };
};
testScript = { nodes }: let
revision = nodes.spending.config.passthru.ourpkgs.zkap-spending-service.meta.rev;
- curl = "${pkgs.curl}/bin/curl -sSf";
+ curl = "${pkgs.curl}/bin/curl -sSf --max-time 5";
in
''
import json
@@ -25,8 +29,17 @@
with subtest("Ensure we can ping the spending service"):
output = spending.succeed("${curl} http://localhost/v1/_ping")
assert json.loads(output)["status"] == "ok", "Could not ping spending service."
+ with subtest("Ensure external hosts can ping the spending service"):
+ output = external.succeed("${curl} http://spending/v1/_ping")
+ assert json.loads(output)["status"] == "ok", "Could not ping spending service."
with subtest("Ensure that the spending service version matches the expected version"):
output = spending.succeed("${curl} http://localhost/v1/_version")
assert json.loads(output)["revision"] == "${revision}", "Spending service revision does not match."
+ with subtest("Ensure that the spending service generates metrics"):
+ # TODO: We should pass "-H 'accept: application/openmetrics-text'" here.
+ # See https://github.com/prometheus/prometheus/issues/8932
+ output = spending.succeed("${curl} http://localhost/metrics | ${pkgs.prometheus}/bin/promtool check metrics")
+ with subtest("Ensure that the metrics are not accesible from other machines"):
+ output = external.fail("${curl} http://spending/metrics")
'';
}