You need to sign in or sign up before continuing.
Fixes https://whetstone.privatestorage.io/privatestorage/privatestorageops/-/issues/368
This MR adds an NGINX reverse proxy in front of our PaymentServer (a cool ½ GB added to the deployment, what are those people smoking) and allows access to the /metrics
endpoint only to IPs within the monitoringvpn
subnet 172.23.23.0/24.
This could go further. Possibilities:
Run PaymentServer without privileges. From my reading around, a good approach for this could be the Nix-recommended way of Systemd's DynamicUser. Until when systemd breaks our whole distributed system with something Poettering would call a "small bug" or a "slight regression". Personally I might go with the more conservative approach of having a static user id, like here for example.
Moving the NGINX config from morph/lib/customize-issuer.nix
to nixos/modules/issuer.nix
, making it an integral part to the issuer, like we have it in grafana.nix
already.