nginx: block all /metrics endpoints

2025-03-14 16:40:19 +01:00 · 2025-03-14 16:40:19 +01:00 · d6be5fefea
commit d6be5fefea
parent cad1ac566a
1 changed files with 50 additions and 39 deletions
--- a/shared/applications/server/nginx.nix
+++ b/shared/applications/server/nginx.nix
@ -10,6 +10,16 @@ let
      -out "$out/ca.pem" -keyout "$out/ca.key"
  '';
 in {
+  # block all /metrics endpoints
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.submodule {
+      config.locations."/metrics" = lib.mkDefault {
+        extraConfig = "deny all;";
+      };
+    });
+  };
+
+  config = {
    services.nginx = {
      enable = true;

@ -52,5 +62,6 @@ in {
      allowedTCPPorts = [80 443];
      allowedUDPPorts = [443];
    };
+  };
 }