about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2022-06-23 17:58:55 -0700
committerFranck Cuny <franck@fcuny.net>2022-06-23 18:02:27 -0700
commitcd3b559fa48e221dc145e8d6527ad17e44bcca38 (patch)
tree10fcdb0edc7bd2cc055a5c84d7c07a56dcee6d1c /modules
parentfix(modules/sourcegraph): configure nginx to bind to tailscale IP (diff)
downloadworld-cd3b559fa48e221dc145e8d6527ad17e44bcca38.tar.gz
fix(modules/grafana): configure nginx to bind to tailscale IP
Only serve a response if the request is coming from tailscale. To ensure
this is the case, let's configure nginx to only listen on the tailscale
IP of the host for that server.

Note: the IP for tailscale is hard coded, there has to be a better way.
Change-Id: I83952484f60206df215e8c03017cfe7722d32697
Reviewed-on: https://cl.fcuny.net/c/world/+/487
Tested-by: CI
Reviewed-by: Franck Cuny <franck@fcuny.net>
Diffstat (limited to 'modules')
-rw-r--r--modules/services/grafana/default.nix12
1 files changed, 12 insertions, 0 deletions
diff --git a/modules/services/grafana/default.nix b/modules/services/grafana/default.nix
index 063a1c9..b3f2122 100644
--- a/modules/services/grafana/default.nix
+++ b/modules/services/grafana/default.nix
@@ -37,6 +37,18 @@ in
     services.nginx.virtualHosts."${cfg.vhostName}" = {
       forceSSL = true;
       useACMEHost = cfg.vhostName;
+      listen = [
+        {
+          addr = "100.85.232.66";
+          port = 443;
+          ssl = true;
+        }
+        {
+          addr = "100.85.232.66";
+          port = 80;
+          ssl = false;
+        }
+      ];
       locations."/" = {
         proxyPass = "http://${config.services.grafana.addr}:${
             toString config.services.grafana.port