From 7d9f1d668e0c01e61c0a952ba46ce8a752e915b1 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Sun, 23 Apr 2023 14:12:30 -0700 Subject: hosts/tahoe: loki and prometheus listen only on the wg0 interface I don't want to have to deal with authentication and TLS certificates for these endpoints. If they are only listening on the wireguard interface I can trust that only authorized hosts are sending traffic to these endpoints. I trust what's running on these machines. --- hosts/tahoe/services.nix | 11 +++++++---- modules/services/monitoring/grafana.nix | 4 ++-- modules/services/monitoring/loki.nix | 19 ++++++++++++++----- modules/services/monitoring/prometheus.nix | 17 +++++++++++++++++ 4 files changed, 40 insertions(+), 11 deletions(-) diff --git a/hosts/tahoe/services.nix b/hosts/tahoe/services.nix index 4f3ffdb..d497f82 100644 --- a/hosts/tahoe/services.nix +++ b/hosts/tahoe/services.nix @@ -23,14 +23,17 @@ in }; monitoring = { - prometheus.enable = true; - grafana = { + prometheus = { enable = true; - vhostName = "dash.fcuny.xyz"; + listenAddress = "192.168.6.40"; }; loki = { enable = true; - address = "192.168.6.40"; + listenAddress = "192.168.6.40"; + }; + grafana = { + enable = true; + vhostName = "dash.fcuny.xyz"; }; promtail.enable = true; node-exporter.enable = true; diff --git a/modules/services/monitoring/grafana.nix b/modules/services/monitoring/grafana.nix index 44b0447..9b75fc3 100644 --- a/modules/services/monitoring/grafana.nix +++ b/modules/services/monitoring/grafana.nix @@ -29,11 +29,11 @@ in name = "prometheus"; type = "prometheus"; isDefault = true; - url = "http://localhost:9090"; + url = "http://${config.my.services.monitoring.prometheus.listenAddress}:${toString config.my.services.monitoring.prometheus.listenPort}"; } { name = "loki"; - url = "http://192.168.6.40:3100"; + url = "http://${config.my.services.monitoring.loki.listenAddress}:${toString config.my.services.monitoring.loki.listenPort}"; type = "loki"; } ]; diff --git a/modules/services/monitoring/loki.nix b/modules/services/monitoring/loki.nix index 8092100..65c4bdd 100644 --- a/modules/services/monitoring/loki.nix +++ b/modules/services/monitoring/loki.nix @@ -5,10 +5,19 @@ in { options.my.services.monitoring.loki = with lib; { enable = mkEnableOption "loki observability stack"; - address = mkOption { + listenAddress = mkOption { type = types.str; - example = "192.168.6.40"; - description = "Listen address"; + default = "0.0.0.0"; + description = lib.mdDoc '' + Address to listen on. + ''; + }; + listenPort = mkOption { + type = types.port; + default = 3100; + description = lib.mdDoc '' + Port to listen on. + ''; }; }; @@ -22,12 +31,12 @@ in server = { http_listen_port = 3100; - http_listen_address = cfg.address; + http_listen_address = cfg.listenAddress; }; ingester = { lifecycler = { - address = cfg.address; + address = cfg.listenAddress; ring = { kvstore = { store = "inmemory"; }; replication_factor = 1; diff --git a/modules/services/monitoring/prometheus.nix b/modules/services/monitoring/prometheus.nix index 59cccb6..916302b 100644 --- a/modules/services/monitoring/prometheus.nix +++ b/modules/services/monitoring/prometheus.nix @@ -43,6 +43,20 @@ in { options.my.services.monitoring.prometheus = with lib; { enable = mkEnableOption "Prometheus monitoring solution"; + listenAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = lib.mdDoc '' + Address to listen on. + ''; + }; + listenPort = mkOption { + type = types.port; + default = 9090; + description = lib.mdDoc '' + Port to listen on. + ''; + }; }; config = lib.mkIf cfg.enable { @@ -57,6 +71,9 @@ in services.prometheus = { enable = true; + port = cfg.listenPort; + listenAddress = cfg.listenAddress; + globalConfig.scrape_interval = "15s"; extraFlags = [ -- cgit 1.4.1