From f2bfb278fbff1d02df0b6a377f3de24881172105 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 8 Apr 2022 22:43:06 +0200
Subject: prometheus

---
 hosts/vidhar/prometheus/default.nix | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

(limited to 'hosts/vidhar/prometheus/default.nix')

diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index c60afd11..adcfdae9 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -26,7 +26,7 @@ in {
       enable = true;
 
       extraFlags = [
-        "--enable-feature=remote-write-receiver"
+        "--web.enable-remote-write-receiver"
       ];
 
       exporters = {
@@ -387,5 +387,33 @@ in {
         AmbientCapabilities = lib.mkForce ["CAP_SYS_ADMIN"];
       };
     };
+
+    services.nginx = {
+      upstreams.prometheus = {
+        servers = { "localhost:${config.services.prometheus.port}" = {}; };
+      };
+      virtualHosts."prometheus.vidhar.yggdrasil" = {
+        forceSSl = true;
+        sslCertificate = ./tls.crt;
+        sslCertificateKey = "/run/credentials/nginx.service/prometheus.key";
+        extraConfig = ''
+          ssl_client_certificate ${./ca/ca.crt};
+          ssl_trusted_certificate ${./ca/ca.crt};
+          ssl_verify_client on;
+        '';
+        locations."/" = {
+          proxyPass = "http://prometheus/";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
+    sops.secrets."prometheus.key" = {
+      format = "binary";
+      sopsFile = ./tls.key;
+    };
+    systemd.services.nginx.serviceConfig.LoadCredential = [
+      "prometheus.key:${config.sops.secrets."prometheus.key".path}"
+    ];
   };
 }
-- 
cgit v1.2.3