diff options
| author | Franck Cuny <franck@fcuny.net> | 2023-04-23 14:12:30 -0700 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2023-04-23 14:29:34 -0700 |
| commit | 7d9f1d668e0c01e61c0a952ba46ce8a752e915b1 (patch) | |
| tree | e88e03da56b9cf1c45540ab53648670eed36291b /modules/services/monitoring/prometheus.nix | |
| parent | modules/monitoring: consolidate all monitoring services together (diff) | |
| download | infra-7d9f1d668e0c01e61c0a952ba46ce8a752e915b1.tar.gz | |
hosts/tahoe: loki and prometheus listen only on the wg0 interface
I don't want to have to deal with authentication and TLS certificates
for these endpoints. If they are only listening on the wireguard
interface I can trust that only authorized hosts are sending traffic to
these endpoints. I trust what's running on these machines.
Diffstat (limited to 'modules/services/monitoring/prometheus.nix')
| -rw-r--r-- | modules/services/monitoring/prometheus.nix | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/modules/services/monitoring/prometheus.nix b/modules/services/monitoring/prometheus.nix index 59cccb6..916302b 100644 --- a/modules/services/monitoring/prometheus.nix +++ b/modules/services/monitoring/prometheus.nix @@ -43,6 +43,20 @@ in { options.my.services.monitoring.prometheus = with lib; { enable = mkEnableOption "Prometheus monitoring solution"; + listenAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = lib.mdDoc '' + Address to listen on. + ''; + }; + listenPort = mkOption { + type = types.port; + default = 9090; + description = lib.mdDoc '' + Port to listen on. + ''; + }; }; config = lib.mkIf cfg.enable { @@ -57,6 +71,9 @@ in services.prometheus = { enable = true; + port = cfg.listenPort; + listenAddress = cfg.listenAddress; + globalConfig.scrape_interval = "15s"; extraFlags = [ |