fix: caddy denylist and jellyfin prometheus

2024-11-26 06:05:37 +00:00 · 2023-07-16 21:04:07 +00:00 · 2023-07-16 21:04:07 +00:00 · d85e4b1593
commit d85e4b1593
parent 6ea99eca5d
2 changed files with 24 additions and 9 deletions
--- a/modules/nixos/services/cloudflare.nix
+++ b/modules/nixos/services/cloudflare.nix
@ -41,11 +41,11 @@ in {
  config = lib.mkIf config.cloudflare.enable {

    # Forces Caddy to error if coming from a non-Cloudflare IP
-    caddy.blocks = [{
+    caddy.routes = [{
      match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
      handle = [{
        handler = "static_response";
-        abort = true;
+        status_code = "403";
      }];
    }];

--- a/modules/nixos/services/jellyfin.nix
+++ b/modules/nixos/services/jellyfin.nix
@ -5,13 +5,25 @@
    services.jellyfin.group = "media";
    users.users.jellyfin = { isSystemUser = true; };

-    caddy.routes = [{
-      match = [{ host = [ config.hostnames.stream ]; }];
-      handle = [{
-        handler = "reverse_proxy";
-        upstreams = [{ dial = "localhost:8096"; }];
-      }];
-    }];
+    caddy.routes = [
+      {
+        match = [{
+          host = [ config.hostnames.stream ];
+          path = [ "/metrics*" ];
+        }];
+        handle = [{
+          handler = "static_response";
+          status_code = "403";
+        }];
+      }
+      {
+        match = [{ host = [ config.hostnames.stream ]; }];
+        handle = [{
+          handler = "reverse_proxy";
+          upstreams = [{ dial = "localhost:8096"; }];
+        }];
+      }
+    ];

    # Create videos directory, allow anyone in Jellyfin group to manage it
    systemd.tmpfiles.rules = [
@ -35,6 +47,9 @@
    users.users.jellyfin.extraGroups =
      [ "render" "video" ]; # Access to /dev/dri

+    # Requires MetricsEnable is true in /var/lib/jellyfin/config/system.xml
+    prometheus.scrapeTargets = [ "127.0.0.1:8096" ];
+
  };

 }