diff options
| author | Franck Cuny <franck@fcuny.net> | 2023-04-23 14:12:30 -0700 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2023-04-23 14:29:34 -0700 |
| commit | 7d9f1d668e0c01e61c0a952ba46ce8a752e915b1 (patch) | |
| tree | e88e03da56b9cf1c45540ab53648670eed36291b /modules | |
| parent | modules/monitoring: consolidate all monitoring services together (diff) | |
| download | world-7d9f1d668e0c01e61c0a952ba46ce8a752e915b1.tar.gz | |
hosts/tahoe: loki and prometheus listen only on the wg0 interface
I don't want to have to deal with authentication and TLS certificates for these endpoints. If they are only listening on the wireguard interface I can trust that only authorized hosts are sending traffic to these endpoints. I trust what's running on these machines.
Diffstat (limited to '')
| -rw-r--r-- | modules/services/monitoring/grafana.nix | 4 | ||||
| -rw-r--r-- | modules/services/monitoring/loki.nix | 19 | ||||
| -rw-r--r-- | modules/services/monitoring/prometheus.nix | 17 |
3 files changed, 33 insertions, 7 deletions
diff --git a/modules/services/monitoring/grafana.nix b/modules/services/monitoring/grafana.nix index 44b0447..9b75fc3 100644 --- a/modules/services/monitoring/grafana.nix +++ b/modules/services/monitoring/grafana.nix @@ -29,11 +29,11 @@ in name = "prometheus"; type = "prometheus"; isDefault = true; - url = "http://localhost:9090"; + url = "http://${config.my.services.monitoring.prometheus.listenAddress}:${toString config.my.services.monitoring.prometheus.listenPort}"; } { name = "loki"; - url = "http://192.168.6.40:3100"; + url = "http://${config.my.services.monitoring.loki.listenAddress}:${toString config.my.services.monitoring.loki.listenPort}"; type = "loki"; } ]; diff --git a/modules/services/monitoring/loki.nix b/modules/services/monitoring/loki.nix index 8092100..65c4bdd 100644 --- a/modules/services/monitoring/loki.nix +++ b/modules/services/monitoring/loki.nix @@ -5,10 +5,19 @@ in { options.my.services.monitoring.loki = with lib; { enable = mkEnableOption "loki observability stack"; - address = mkOption { + listenAddress = mkOption { type = types.str; - example = "192.168.6.40"; - description = "Listen address"; + default = "0.0.0.0"; + description = lib.mdDoc '' + Address to listen on. + ''; + }; + listenPort = mkOption { + type = types.port; + default = 3100; + description = lib.mdDoc '' + Port to listen on. + ''; }; }; @@ -22,12 +31,12 @@ in server = { http_listen_port = 3100; - http_listen_address = cfg.address; + http_listen_address = cfg.listenAddress; }; ingester = { lifecycler = { - address = cfg.address; + address = cfg.listenAddress; ring = { kvstore = { store = "inmemory"; }; replication_factor = 1; diff --git a/modules/services/monitoring/prometheus.nix b/modules/services/monitoring/prometheus.nix index 59cccb6..916302b 100644 --- a/modules/services/monitoring/prometheus.nix +++ b/modules/services/monitoring/prometheus.nix @@ -43,6 +43,20 @@ in { options.my.services.monitoring.prometheus = with lib; { enable = mkEnableOption "Prometheus monitoring solution"; + listenAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = lib.mdDoc '' + Address to listen on. + ''; + }; + listenPort = mkOption { + type = types.port; + default = 9090; + description = lib.mdDoc '' + Port to listen on. + ''; + }; }; config = lib.mkIf cfg.enable { @@ -57,6 +71,9 @@ in services.prometheus = { enable = true; + port = cfg.listenPort; + listenAddress = cfg.listenAddress; + globalConfig.scrape_interval = "15s"; extraFlags = [ |