Merge pull request #84 from input-output-hk/cad-3436-prom-apikey

monitoring-services: add prometheus.basicAuthFile option
input-output-hk · Oct 28, 2021 · a7fd862 · a7fd862
2 parents d382802 + ad8308d
commit a7fd862
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/modules/monitoring-services.nix b/modules/monitoring-services.nix
@@ -259,6 +259,15 @@ in {
           "extra receivers added to services.prometheus.alertmanager.configuration.receivers";
       };
 
+      prometheus.basicAuthFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        description = ''
+          Basic Auth password file for prometheus, for use in addition to oauth2_proxy.
+          Syntax is name + ':' + <command>openssl passwd -6</command>
+        '';
+      };
+
 
       prometheus.storageRetentionTime = mkOption {
         type = types.str;
@@ -409,6 +418,11 @@ in {
             '';
             "/prometheus/".extraConfig = ''
               ${nginxOAuthConfig}
+              ${optionalString (cfg.prometheus.basicAuthFile != null) ''
+              satisfy any;
+              auth_basic "prometheus";
+              auth_basic_user_file "${cfg.prometheus.basicAuthFile}";
+              ''}
               proxy_pass http://localhost:9090/prometheus/;
               proxy_set_header Host $host;
               proxy_set_header REMOTE_ADDR $remote_addr;

diff --git a/roles/monitor.nix b/roles/monitor.nix
@@ -59,6 +59,7 @@ in {
         grafanaCreds
         graylogCreds
         pagerDuty;
+      prometheus = static.prometheus or {};
     };
 
     services.oauth2_proxy.enable = lib.mkDefault true;