From 555264ed822b8797b7a8e0757ed1cad258a25658 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@private.storage>
Date: Thu, 13 Jan 2022 19:53:52 +0000
Subject: [PATCH] Only allow monitoring machines to access the monitoring
 machine's monitoring endpoint

Fixes privatestorageops#408
---
 nixos/modules/monitoring/server/grafana.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index d7efd4c7..1306c37f 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -183,6 +183,17 @@ in {
           proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
           proxyWebsockets = true;
         };
+        locations."/metrics" = {
+          # Only allow our monitoringvpn subnet
+          # And localhost since we're the monitoring server currently
+          extraConfig = ''
+            allow 172.23.23.0/24;
+            allow 127.0.0.1;
+            allow ::1;
+            deny all;
+          '';
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+        };
       };
     };
 
-- 
GitLab