From 345159601e139bf4553c82f8e3b0fbe6f2ca46e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sat, 7 Oct 2023 04:15:52 +0200
Subject: [PATCH] gitea: Add monitoring

---
 configuration/services/gitea.nix           | 21 ++++++++++++++++
 configuration/services/metrics/default.nix | 29 +++++++++++++++++-----
 configuration/sops.nix                     |  6 +++++
 keys/staging.yaml                          |  6 +++--
 4 files changed, 54 insertions(+), 8 deletions(-)

diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index 6d6dafd..013842e 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -1,6 +1,7 @@
 {
   pkgs,
   config,
+  lib,
   ...
 }: let
   domain = "gitea.${config.services.nginx.domain}";
@@ -19,11 +20,23 @@ in {
         SSH_PORT = 2222;
       };
 
+      metrics = {
+        ENABLED = true;
+        TOKEN = "#metricstoken#";
+      };
       service.DISABLE_REGISTRATION = true;
       session.COOKIE_SECURE = true;
     };
   };
 
+  systemd.services.gitea.serviceConfig.ExecStartPre = let
+    replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
+    secretPath = config.sops.secrets."gitea/metrics-token".path;
+    runConfig = "${config.services.gitea.customDir}/conf/app.ini";
+  in [
+    "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
+  ];
+
   # Set up SSL
   services.nginx.virtualHosts."${domain}" = let
     httpAddress = config.services.gitea.settings.server.HTTP_ADDR;
@@ -37,6 +50,14 @@ in {
     '';
 
     locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
+    locations."/metrics" = {
+      extraConfig = ''
+        access_log off;
+        allow 127.0.0.1;
+        ${lib.optionalString config.networking.enableIPv6 "allow ::1;"}
+        deny all;
+      '';
+    };
   };
 
   # Block repeated failed login attempts
diff --git a/configuration/services/metrics/default.nix b/configuration/services/metrics/default.nix
index 3347467..4b163d3 100644
--- a/configuration/services/metrics/default.nix
+++ b/configuration/services/metrics/default.nix
@@ -138,12 +138,29 @@ in {
           job_name = "tlater.net";
           static_configs = [
             {
-              targets =
-                lib.mapAttrsToList (name: exporter: "${exporter.listenAddress}:${toString exporter.port}")
-                (lib.filterAttrs (name: exporter: (builtins.isAttrs exporter) && exporter.enable)
-                  (config.services.prometheus.exporters // config.services.prometheus.local-exporters))
-                ++ [
-                  "127.0.0.1:9641" # coturn
+              targets = let
+                exporters = config.services.prometheus.exporters;
+                localExporters = config.services.prometheus.local-exporters;
+              in
+                map (exporter: "${exporter.listenAddress}:${toString exporter.port}") [
+                  exporters.domain
+                  exporters.node
+                  exporters.nginx
+                  exporters.nginxlog
+                  exporters.systemd
+
+                  localExporters.prometheus-fail2ban-exporter
+
+                  {
+                    # coturn
+                    listenAddress = "127.0.0.1";
+                    port = "9641";
+                  }
+                  {
+                    # gitea
+                    listenAddress = "127.0.0.1";
+                    port = "3000";
+                  }
                 ];
             }
           ];
diff --git a/configuration/sops.nix b/configuration/sops.nix
index 6eae9fc..190dd95 100644
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@@ -3,6 +3,12 @@
     defaultSopsFile = ../keys/production.yaml;
 
     secrets = {
+      # Gitea
+      "gitea/metrics-token" = {
+        owner = "gitea";
+        group = "gitea";
+      };
+
       # Grafana
       "grafana/adminPassword" = {
         owner = "grafana";
diff --git a/keys/staging.yaml b/keys/staging.yaml
index 86ce700..73f0f94 100644
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@@ -1,3 +1,5 @@
+gitea:
+    metrics-token: ENC[AES256_GCM,data:J4QdfI1wKyM=,iv:8fqCbftyhj90eIVFxjEp9RXKC1y1IaLnV1r2MOdY15M=,tag:8W/juv1OZh4hJco02qXO6g==,type:str]
 grafana:
     adminPassword: ENC[AES256_GCM,data:dYfaxUpQpzA=,iv:j5wSem8C5+V4c5qRzXQJhsU7/FOtpvrnaEyFBmW6zJ4=,tag:oc8n3TkEbjF2gjuOobZuLA==,type:str]
     secretKey: ENC[AES256_GCM,data:Atruvh2MsNY=,iv:y2MaCUCEzGIydHp6G0DJHfk289S1is0twKm2oUYwDhM=,tag:nAWeg+YqaYqk6k22oBkAhQ==,type:str]
@@ -24,8 +26,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-10-01T23:00:06Z"
-    mac: ENC[AES256_GCM,data:oEJ3Nwlx5YTVLvWa12On1O+LakU42rsAD1wD52MTlzuwgyRZ/g49pL6pQiL6S0uE7wC0EOqOvg2pCtDxxHe3WNjEpcxnWWftdEjw2laLnBuOqduQmVW+Sn23SzoRkl7PwOH1jTQHzRyciyYkJT1/vCNnbNdKg1eqnbpxPysg6/A=,iv:dC8eNEXhzC8Nx1rfXQdDKtlO01QhyW9ncNFEK/yakrg=,tag:vQ4AW/mqnA9Vs5NNzFsYWQ==,type:str]
+    lastmodified: "2023-10-07T02:17:50Z"
+    mac: ENC[AES256_GCM,data:vZDq33YIn0Nf1FQ2+ySezox6igiw6zNFCu3l3kaIsBKo1797pohmAxj2Lcc+OmlBjj98khaBIlbQuA5ULM+uPN5ILaz3NuXD5PZtsV+rL2PsLNMW9FBSmJ0m0YQrt0nZ0tpzifn12XghcSK2IXv+FnxlfrAJCxDvr5tRm90uUwU=,iv:ct8CzIWjaoJ1UjZcdFSr8lZ626vA0RvM883V6H5plWc=,tag:waJNtp/UbRDOfyzNElrung==,type:str]
     pgp:
         - created_at: "2022-10-12T16:48:23Z"
           enc: |