From d85e4b1593ed562bea891c67682bb2536bb8c04f Mon Sep 17 00:00:00 2001
From: Noah Masur <7386960+nmasur@users.noreply.github.com>
Date: Sun, 16 Jul 2023 21:04:07 +0000
Subject: [PATCH] fix: caddy denylist and jellyfin prometheus

---
 modules/nixos/services/cloudflare.nix |  4 ++--
 modules/nixos/services/jellyfin.nix   | 29 ++++++++++++++++++++-------
 2 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/modules/nixos/services/cloudflare.nix b/modules/nixos/services/cloudflare.nix
index 0df2068..b3d4e47 100644
--- a/modules/nixos/services/cloudflare.nix
+++ b/modules/nixos/services/cloudflare.nix
@@ -41,11 +41,11 @@ in {
   config = lib.mkIf config.cloudflare.enable {
 
     # Forces Caddy to error if coming from a non-Cloudflare IP
-    caddy.blocks = [{
+    caddy.routes = [{
       match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
       handle = [{
         handler = "static_response";
-        abort = true;
+        status_code = "403";
       }];
     }];
 
diff --git a/modules/nixos/services/jellyfin.nix b/modules/nixos/services/jellyfin.nix
index 19b88d2..9508c1a 100644
--- a/modules/nixos/services/jellyfin.nix
+++ b/modules/nixos/services/jellyfin.nix
@@ -5,13 +5,25 @@
     services.jellyfin.group = "media";
     users.users.jellyfin = { isSystemUser = true; };
 
-    caddy.routes = [{
-      match = [{ host = [ config.hostnames.stream ]; }];
-      handle = [{
-        handler = "reverse_proxy";
-        upstreams = [{ dial = "localhost:8096"; }];
-      }];
-    }];
+    caddy.routes = [
+      {
+        match = [{
+          host = [ config.hostnames.stream ];
+          path = [ "/metrics*" ];
+        }];
+        handle = [{
+          handler = "static_response";
+          status_code = "403";
+        }];
+      }
+      {
+        match = [{ host = [ config.hostnames.stream ]; }];
+        handle = [{
+          handler = "reverse_proxy";
+          upstreams = [{ dial = "localhost:8096"; }];
+        }];
+      }
+    ];
 
     # Create videos directory, allow anyone in Jellyfin group to manage it
     systemd.tmpfiles.rules = [
@@ -35,6 +47,9 @@
     users.users.jellyfin.extraGroups =
       [ "render" "video" ]; # Access to /dev/dri
 
+    # Requires MetricsEnable is true in /var/lib/jellyfin/config/system.xml
+    prometheus.scrapeTargets = [ "127.0.0.1:8096" ];
+
   };
 
 }