Disallow outside metrics reading

2023-09-13 23:17:37 +01:00 · 2023-09-13 23:17:37 +01:00 · 02a9a0b23b
parent b9280f2e5c
commit 02a9a0b23b
3 changed files with 6 additions and 2 deletions
--- a/nix/monitoring/configuration.nix
+++ b/nix/monitoring/configuration.nix
@ -56,7 +56,7 @@
      {
        job_name = "healthchecks";
        scrape_interval = "60s";
-        metrics_path = "/projects/5f1de50f-a52d-4215-961f-aae7cc6cf6c9/metrics/qyitrbccSwyuvZEISGdBHSBQaEwLcaFu";
+        metrics_path = "/projects/5f1de50f-a52d-4215-961f-aae7cc6cf6c9/metrics/TbMoU7SUdknzMe-H5Q4HzmKl3itOIrJk";
        static_configs = [ { targets = [ "localhost:8000" ]; } ];
      }
      {
@ -85,6 +85,7 @@
    settings = {
      SECRET_KEY_FILE = config.age.secrets.healthchecks-secret.path;
      SITE_ROOT = "https://healthchecks.gmem.ca";
+      SITE_NAME = "Arch's Healthchecks";
    };
  };
  
@ -113,6 +114,9 @@
        proxyPass = "http://127.0.0.1:8000";
        proxyWebsockets = true;
      };
+      locations."~ \/projects\/.+\/metrics\/.+" = {
+        extraConfig = "deny all;";
+      };
    };
  };
  security.acme.acceptTerms = true;
--- a/secrets.nix
+++ b/secrets.nix
@ -11,6 +11,6 @@ in
  "secrets/vancouver-restic-b2.age".publicKeys = [ vancouver gsimmer ];
  "secrets/vancouver-restic-password.age".publicKeys = [ vancouver gsimmer ];
  "secrets/monitoring-healthchecks-secret.age".publicKeys = [ monitoring gsimmer ];
-
+  "secrets/monitoring-healthchecks-ro.age".publicKeys = [ monitoring gsimmer ];
  "secrets/healthchecks-ping.sh.age".publicKeys = machines ++ users;
 }
--- a/secrets/monitoring-healthchecks-ro.age
+++ b/secrets/monitoring-healthchecks-ro.age