fix: caddy denylist and jellyfin prometheus

This commit is contained in:
Noah Masur 2023-07-16 21:04:07 +00:00
parent 6ea99eca5d
commit d85e4b1593
2 changed files with 24 additions and 9 deletions

View File

@ -41,11 +41,11 @@ in {
config = lib.mkIf config.cloudflare.enable {
# Forces Caddy to error if coming from a non-Cloudflare IP
caddy.blocks = [{
caddy.routes = [{
match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
handle = [{
handler = "static_response";
abort = true;
status_code = "403";
}];
}];

View File

@ -5,13 +5,25 @@
services.jellyfin.group = "media";
users.users.jellyfin = { isSystemUser = true; };
caddy.routes = [{
match = [{ host = [ config.hostnames.stream ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:8096"; }];
}];
}];
caddy.routes = [
{
match = [{
host = [ config.hostnames.stream ];
path = [ "/metrics*" ];
}];
handle = [{
handler = "static_response";
status_code = "403";
}];
}
{
match = [{ host = [ config.hostnames.stream ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:8096"; }];
}];
}
];
# Create videos directory, allow anyone in Jellyfin group to manage it
systemd.tmpfiles.rules = [
@ -35,6 +47,9 @@
users.users.jellyfin.extraGroups =
[ "render" "video" ]; # Access to /dev/dri
# Requires MetricsEnable is true in /var/lib/jellyfin/config/system.xml
prometheus.scrapeTargets = [ "127.0.0.1:8096" ];
};
}