From c0d222072e0a5ecc09f87ca29ba640352dfce66c Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@private.storage>
Date: Thu, 5 Aug 2021 12:49:16 +0000
Subject: [PATCH] PaymentServer: Allow only IPs from monitoringvpn to access
 /metrics

NGINX does longest-prefix-match for selecting locations.
---
 morph/lib/customize-issuer.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/morph/lib/customize-issuer.nix b/morph/lib/customize-issuer.nix
index 896580d3..2cbc52f6 100644
--- a/morph/lib/customize-issuer.nix
+++ b/morph/lib/customize-issuer.nix
@@ -112,6 +112,14 @@
       locations."/" = {
         proxyPass = "http://127.0.0.1:${toString config.services.private-storage-issuer.httpPort}";
       };
+      locations."/metrics" = {
+        # Only allow our monitoringvpn subnet
+        extraConfig = ''
+          allow 172.23.23.0/24;
+          deny all;
+        '';
+        proxyPass = "http://127.0.0.1:${toString config.services.private-storage-issuer.httpPort}";
+      };
     };
   };
 
-- 
GitLab