monitoring-services: add prometheus.basicAuthFile option

This allows http basic auth access to prometheus, in addition to oauth2.
input-output-hk · Oct 26, 2021 · 16bf7cc · 16bf7cc
1 parent d382802
commit 16bf7cc
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/modules/monitoring-services.nix b/modules/monitoring-services.nix
@@ -259,6 +259,15 @@ in {
           "extra receivers added to services.prometheus.alertmanager.configuration.receivers";
       };
 
+      prometheus.basicAuthFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        description = ''
+          Basic Auth password file for prometheus, for use in addition to oauth2_proxy.
+          Syntax is name + ':' + <command>openssl passwd -6</command>
+        '';
+      };
+
 
       prometheus.storageRetentionTime = mkOption {
         type = types.str;
@@ -409,6 +418,11 @@ in {
             '';
             "/prometheus/".extraConfig = ''
               ${nginxOAuthConfig}
+              ${optionalString (cfg.prometheus.basicAuthFile != null) ''
+              satisfy any;
+              auth_basic "prometheus";
+              auth_basic_user_file "${cfg.prometheus.basicAuthFile}";
+              ''}
               proxy_pass http://localhost:9090/prometheus/;
               proxy_set_header Host $host;
               proxy_set_header REMOTE_ADDR $remote_addr;