Only allow monitoring machines to access the monitoring machine's monitoring endpoint

Fixes privatestorageops#408

Only allow monitoring machines to access the monitoring machine's monitoring endpoint
555264ed · Florian Sesser · 64bee7ab · 555264ed
Commit 555264ed authored 3 years ago by Florian Sesser
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -183,6 +183,17 @@ in {
          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
          proxyWebsockets = true;
        };
+        locations."/metrics" = {
+          # Only allow our monitoringvpn subnet
+          # And localhost since we're the monitoring server currently
+          extraConfig = ''
+            allow 172.23.23.0/24;
+            allow 127.0.0.1;
+            allow ::1;
+            deny all;
+          '';
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+        };
      };
    };