fix: put loki behind nginx proxy to hide debug/pprof endpoint and only allow push.

This commit is contained in:
Adrian G L
2026-06-12 13:25:23 +02:00
parent b592f0100a
commit 05589e7520
+20 -3
View File
@@ -3,14 +3,15 @@
let let
cfg = config.services.loki; cfg = config.services.loki;
stateDir = "/data/monitoring/loki"; stateDir = "/data/monitoring/loki";
internalPort = 83100;
in { in {
services.loki = { services.loki = {
enable = true; enable = true;
configuration = { configuration = {
auth_enabled = false; auth_enabled = false;
server = { server = {
http_listen_port = 3100; http_listen_port = internalPort;
http_listen_address = "0.0.0.0"; http_listen_address = "127.0.0.1";
grpc_listen_port = 9096; grpc_listen_port = 9096;
}; };
@@ -81,5 +82,21 @@ in {
}; };
}; };
networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ]; services.nginx.virtualHosts."loki-internal" = {
listen = [{
addr = "0.0.0.0";
port = 3100;
ssl = false;
}];
locations = {
"/loki/api/v1/push" = {
proxyPass = "http://127.0.0.1:${toString internalPort}";
};
"/" = {
return = "403";
};
};
};
networking.firewall.allowedTCPPorts = [ 3100 ];
} }