1 files changed, 29 insertions, 1 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index c60afd11..adcfdae9 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -26,7 +26,7 @@ in {
      enable = true;
      extraFlags = [
-        "--enable-feature=remote-write-receiver"
+        "--web.enable-remote-write-receiver"
      ];
      exporters = {
@@ -387,5 +387,33 @@ in {
        AmbientCapabilities = lib.mkForce ["CAP_SYS_ADMIN"];
      };
    };
+    services.nginx = {
+      upstreams.prometheus = {
+        servers = { "localhost:${config.services.prometheus.port}" = {}; };
+      };
+      virtualHosts."prometheus.vidhar.yggdrasil" = {
+        forceSSl = true;
+        sslCertificate = ./tls.crt;
+        sslCertificateKey = "/run/credentials/nginx.service/prometheus.key";
+        extraConfig = ''
+          ssl_client_certificate ${./ca/ca.crt};
+          ssl_trusted_certificate ${./ca/ca.crt};
+          ssl_verify_client on;
+        '';
+        locations."/" = {
+          proxyPass = "http://prometheus/";
+          proxyWebsockets = true;
+        };
+      };
+    };
+    sops.secrets."prometheus.key" = {
+      format = "binary";
+      sopsFile = ./tls.key;
+    };
+    systemd.services.nginx.serviceConfig.LoadCredential = [
+      "prometheus.key:${config.sops.secrets."prometheus.key".path}"
+    ];
  };
 }

diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index c60afd11..adcfdae9 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix
@@ -26,7 +26,7 @@ in {
26	enable = true;	26	enable = true;
27		27
28	extraFlags = [	28	extraFlags = [
29	"--enable-feature=remote-write-receiver"	29	"--web.enable-remote-write-receiver"
30	];	30	];
31		31
32	exporters = {	32	exporters = {
@@ -387,5 +387,33 @@ in {
387	AmbientCapabilities = lib.mkForce ["CAP_SYS_ADMIN"];	387	AmbientCapabilities = lib.mkForce ["CAP_SYS_ADMIN"];
388	};	388	};
389	};	389	};
		390
		391	services.nginx = {
		392	upstreams.prometheus = {
		393	servers = { "localhost:${config.services.prometheus.port}" = {}; };
		394	};
		395	virtualHosts."prometheus.vidhar.yggdrasil" = {
		396	forceSSl = true;
		397	sslCertificate = ./tls.crt;
		398	sslCertificateKey = "/run/credentials/nginx.service/prometheus.key";
		399	extraConfig = ''
		400	ssl_client_certificate ${./ca/ca.crt};
		401	ssl_trusted_certificate ${./ca/ca.crt};
		402	ssl_verify_client on;
		403	'';
		404	locations."/" = {
		405	proxyPass = "http://prometheus/";
		406	proxyWebsockets = true;
		407	};
		408	};
		409	};
		410
		411	sops.secrets."prometheus.key" = {
		412	format = "binary";
		413	sopsFile = ./tls.key;
		414	};
		415	systemd.services.nginx.serviceConfig.LoadCredential = [
		416	"prometheus.key:${config.sops.secrets."prometheus.key".path}"
		417	];
390	};	418	};
391	}	419	}