aurweb/prometheus: Put aurweb metrics endpoint behind authentication

We do not usually expose metrics publicly and there is no good reason
for handling aurweb differently.

Fixes: 74757d6b ("Scape aurweb metrics")

group_vars/all/vault_aurweb.yml

@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+38383639393932666334353834613134353965333939343530636234353536366138346137613636
+3439373136366635623339626236663338623237313135630a333939303839303738653835316430
+37363337386331323263623837373032646438326334623436313034353032386535656139353264
+3834613539356336310a383230373736346434656361333134353136366430393130396466643561
+61356162353661633736356431646538643138383766333763626335393135343363316166656461
+30663961336136356134333231316232653664343839616235396562376436363837356563616136
+656332343163376332636131333166623362

roles/aurweb/templates/nginx.d.conf.j2

@@ -138,13 +138,23 @@ server {
     }
 
     location / {
+{% block asgi_proxy  %}
         # Proxy over to aurweb's ASGI application.
         proxy_pass http://{{ aurweb_asgi_bind }};
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Ssl on;
+{% endblock %}
 
         limit_req zone=aurweblimit burst=10 nodelay;
     }
+
+    location = /metrics {
+        if ($http_authorization != "Bearer {{ vault_aurweb_metrics_token }}") {
+            return 403;
+        }
+
+{{ self.asgi_proxy() }}
+    }
 }

roles/prometheus/templates/prometheus.yml.j2

@@ -134,6 +134,8 @@ scrape_configs:
 
   - job_name: aurweb
     scheme: https
+    authorization:
+      credentials: {{ vault_aurweb_metrics_token }}
     static_configs:
       - targets: ['aur.archlinux.org:443']