fix: caddy denylist and jellyfin prometheus

modules/nixos/services/caddy.nix

@@ -30,6 +30,7 @@
             errors.routes = config.caddy.blocks;
             # logs = { }; # Uncomment to collect access logs
           };
+          apps.http.servers.metrics = { }; # Enables Prometheus metrics
           apps.tls.automation.policies = config.caddy.tlsPolicies;
           logging.logs.main = {
             encoder = { format = "console"; };
@@ -47,6 +48,8 @@
       networking.firewall.allowedTCPPorts = [ 80 443 ];
       networking.firewall.allowedUDPPorts = [ 443 ];
 
+      prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
+
     };
 
 }

modules/nixos/services/cloudflare.nix

@@ -41,11 +41,11 @@ in {
   config = lib.mkIf config.cloudflare.enable {
 
     # Forces Caddy to error if coming from a non-Cloudflare IP
-    caddy.blocks = [{
+    caddy.routes = [{
       match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
       handle = [{
         handler = "static_response";
-        abort = true;
+        status_code = "403";
       }];
     }];
 

modules/nixos/services/jellyfin.nix

@@ -5,13 +5,25 @@
     services.jellyfin.group = "media";
     users.users.jellyfin = { isSystemUser = true; };
 
-    caddy.routes = [{
+    caddy.routes = [
-      match = [{ host = [ config.hostnames.stream ]; }];
+      {
-      handle = [{
+        match = [{
-        handler = "reverse_proxy";
+          host = [ config.hostnames.stream ];
-        upstreams = [{ dial = "localhost:8096"; }];
+          path = [ "/metrics*" ];
-      }];
+        }];
-    }];
+        handle = [{
+          handler = "static_response";
+          status_code = "403";
+        }];
+      }
+      {
+        match = [{ host = [ config.hostnames.stream ]; }];
+        handle = [{
+          handler = "reverse_proxy";
+          upstreams = [{ dial = "localhost:8096"; }];
+        }];
+      }
+    ];
 
     # Create videos directory, allow anyone in Jellyfin group to manage it
     systemd.tmpfiles.rules = [
@@ -35,6 +47,9 @@
     users.users.jellyfin.extraGroups =
       [ "render" "video" ]; # Access to /dev/dri
 
+    # Requires MetricsEnable is true in /var/lib/jellyfin/config/system.xml
+    prometheus.scrapeTargets = [ "127.0.0.1:8096" ];
+
   };
 
 }

modules/nixos/services/prometheus.nix

@@ -38,6 +38,8 @@
 
     services.prometheus = {
       exporters.node.enable = config.prometheus.exporters.enable;
+      exporters.node.enabledCollectors = [ ];
+      exporters.node.disabledCollectors = [ "cpufreq" ];
       exporters.systemd.enable = config.prometheus.exporters.enable;
       exporters.process.enable = config.prometheus.exporters.enable;
       exporters.process.settings.process_names = [