From 4cbaa334753eac5329c2f93b35942f7f14894cf0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Tue, 17 Feb 2026 00:36:11 +0100
Subject: [PATCH] monitoring02: add Caddy reverse proxy for VictoriaMetrics and
 vmalert

Add metrics.home.2rjus.net and vmalert.home.2rjus.net CNAMEs with
Caddy TLS termination via internal ACME CA.

Refactors Grafana's Caddy config from configFile to globalConfig +
virtualHosts so both modules can contribute routes to the same
Caddy instance.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 hosts/monitoring02/configuration.nix |  3 +--
 services/grafana/default.nix         | 26 ++++++++++++--------------
 services/victoriametrics/default.nix |  8 ++++++++
 3 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/hosts/monitoring02/configuration.nix b/hosts/monitoring02/configuration.nix
index 1031c36..3cf2f8d 100644
--- a/hosts/monitoring02/configuration.nix
+++ b/hosts/monitoring02/configuration.nix
@@ -18,8 +18,7 @@
     role = "monitoring";
   };
 
-  # DNS CNAME for Grafana test instance
-  homelab.dns.cnames = [ "grafana-test" ];
+  homelab.dns.cnames = [ "grafana-test" "metrics" "vmalert" ];
 
   # Enable Vault integration
   vault.enable = true;
diff --git a/services/grafana/default.nix b/services/grafana/default.nix
index b22a5d7..a0dc7b4 100644
--- a/services/grafana/default.nix
+++ b/services/grafana/default.nix
@@ -87,22 +87,20 @@
   services.caddy = {
     enable = true;
     package = pkgs.unstable.caddy;
-    configFile = pkgs.writeText "Caddyfile" ''
-      {
-        acme_ca https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
-        metrics
-      }
-
-      grafana-test.home.2rjus.net {
-        log {
-          output file /var/log/caddy/grafana.log {
-            mode 644
-          }
+    globalConfig = ''
+      acme_ca https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
+      metrics
+    '';
+    virtualHosts."grafana-test.home.2rjus.net".extraConfig = ''
+      log {
+        output file /var/log/caddy/grafana.log {
+          mode 644
         }
-
-        reverse_proxy http://127.0.0.1:3000
       }
-
+      reverse_proxy http://127.0.0.1:3000
+    '';
+    # Metrics endpoint on plain HTTP for Prometheus scraping
+    extraConfig = ''
       http://${config.networking.hostName}.home.2rjus.net/metrics {
         metrics
       }
diff --git a/services/victoriametrics/default.nix b/services/victoriametrics/default.nix
index e0c4f93..02aee75 100644
--- a/services/victoriametrics/default.nix
+++ b/services/victoriametrics/default.nix
@@ -183,6 +183,14 @@ in
     };
   };
 
+  # Caddy reverse proxy for VictoriaMetrics and vmalert
+  services.caddy.virtualHosts."metrics.home.2rjus.net".extraConfig = ''
+    reverse_proxy http://127.0.0.1:8428
+  '';
+  services.caddy.virtualHosts."vmalert.home.2rjus.net".extraConfig = ''
+    reverse_proxy http://127.0.0.1:8880
+  '';
+
   # Alertmanager - same config as monitoring01 but will only receive
   # alerts after cutover (vmalert notifier is disabled above)
   services.prometheus.alertmanager = {