From fa6380e76754130da2ebe59885b3e2d3ea13db6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Thu, 5 Feb 2026 01:03:50 +0100
Subject: [PATCH] monitoring: fix nix-cache_caddy scrape target TLS error

Move nix-cache_caddy back to a manual config in prometheus.nix using the
service CNAME (nix-cache.home.2rjus.net) instead of the hostname. The
auto-generated target used nix-cache01.home.2rjus.net which doesn't
match the TLS certificate SAN.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 services/monitoring/prometheus.nix | 12 ++++++++++++
 services/nix-cache/default.nix     |  5 -----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/services/monitoring/prometheus.nix b/services/monitoring/prometheus.nix
index c96b817..bc29de0 100644
--- a/services/monitoring/prometheus.nix
+++ b/services/monitoring/prometheus.nix
@@ -111,6 +111,18 @@ in
           }
         ];
       }
+      # TODO: nix-cache_caddy can't be auto-generated because the cert is issued
+      # for nix-cache.home.2rjus.net (service CNAME), not nix-cache01 (hostname).
+      # Consider adding a target override to homelab.monitoring.scrapeTargets.
+      {
+        job_name = "nix-cache_caddy";
+        scheme = "https";
+        static_configs = [
+          {
+            targets = [ "nix-cache.home.2rjus.net" ];
+          }
+        ];
+      }
       # pve-exporter with complex relabel config
       {
         job_name = "pve-exporter";
diff --git a/services/nix-cache/default.nix b/services/nix-cache/default.nix
index 5db16b7..3d5fd90 100644
--- a/services/nix-cache/default.nix
+++ b/services/nix-cache/default.nix
@@ -7,9 +7,4 @@
     ./nix.nix
   ];
 
-  homelab.monitoring.scrapeTargets = [{
-    job_name = "nix-cache_caddy";
-    port = 443;
-    scheme = "https";
-  }];
 }