From 25855deb676445c9b747ab074bfba06dddebd74b Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Sun, 18 Aug 2024 22:38:48 +0200
Subject: [PATCH] aurweb/prometheus: Put aurweb metrics endpoint behind
 authentication

We do not usually expose metrics publicly and there is no good reason
for handling aurweb differently.

Fixes: 74757d6b ("Scape aurweb metrics")
---
 group_vars/all/vault_aurweb.yml              |  8 ++++++++
 roles/aurweb/templates/nginx.d.conf.j2       | 10 ++++++++++
 roles/prometheus/templates/prometheus.yml.j2 |  2 ++
 3 files changed, 20 insertions(+)
 create mode 100644 group_vars/all/vault_aurweb.yml

diff --git a/group_vars/all/vault_aurweb.yml b/group_vars/all/vault_aurweb.yml
new file mode 100644
index 00000000..be72b864
--- /dev/null
+++ b/group_vars/all/vault_aurweb.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+38383639393932666334353834613134353965333939343530636234353536366138346137613636
+3439373136366635623339626236663338623237313135630a333939303839303738653835316430
+37363337386331323263623837373032646438326334623436313034353032386535656139353264
+3834613539356336310a383230373736346434656361333134353136366430393130396466643561
+61356162353661633736356431646538643138383766333763626335393135343363316166656461
+30663961336136356134333231316232653664343839616235396562376436363837356563616136
+656332343163376332636131333166623362
diff --git a/roles/aurweb/templates/nginx.d.conf.j2 b/roles/aurweb/templates/nginx.d.conf.j2
index 1f6c6405..c409dd2a 100644
--- a/roles/aurweb/templates/nginx.d.conf.j2
+++ b/roles/aurweb/templates/nginx.d.conf.j2
@@ -138,13 +138,23 @@ server {
     }
 
     location / {
+{% block asgi_proxy  %}
         # Proxy over to aurweb's ASGI application.
         proxy_pass http://{{ aurweb_asgi_bind }};
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Ssl on;
+{% endblock %}
 
         limit_req zone=aurweblimit burst=10 nodelay;
     }
+
+    location = /metrics {
+        if ($http_authorization != "Bearer {{ vault_aurweb_metrics_token }}") {
+            return 403;
+        }
+
+{{ self.asgi_proxy() }}
+    }
 }
diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2
index 9faf4c37..a0342b56 100644
--- a/roles/prometheus/templates/prometheus.yml.j2
+++ b/roles/prometheus/templates/prometheus.yml.j2
@@ -134,6 +134,8 @@ scrape_configs:
 
   - job_name: aurweb
     scheme: https
+    authorization:
+      credentials: {{ vault_aurweb_metrics_token }}
     static_configs:
       - targets: ['aur.archlinux.org:443']