From 93b82f6239bf810ecdb96241c7680628f5a7ebc9 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Wed, 17 Nov 2021 22:24:19 +0000
Subject: [PATCH] Restrict alertmanager web interface to admin users

---
 cookbooks/prometheus/recipes/server.rb            | 2 ++
 cookbooks/prometheus/templates/default/apache.erb | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/cookbooks/prometheus/recipes/server.rb b/cookbooks/prometheus/recipes/server.rb
index 9c215778e..675a206ec 100644
--- a/cookbooks/prometheus/recipes/server.rb
+++ b/cookbooks/prometheus/recipes/server.rb
@@ -24,6 +24,7 @@ include_recipe "timescaledb"
 
 passwords = data_bag_item("prometheus", "passwords")
 tokens = data_bag_item("prometheus", "tokens")
+admins = data_bag_item("apache", "admins")
 
 prometheus_exporter "fastly" do
   port 8080
@@ -335,6 +336,7 @@ end
 
 apache_site "prometheus.openstreetmap.org" do
   template "apache.erb"
+  variables :admin_hosts => admins["hosts"]
 end
 
 template "/etc/cron.daily/prometheus-backup" do
diff --git a/cookbooks/prometheus/templates/default/apache.erb b/cookbooks/prometheus/templates/default/apache.erb
index 00760ed43..edc1647af 100644
--- a/cookbooks/prometheus/templates/default/apache.erb
+++ b/cookbooks/prometheus/templates/default/apache.erb
@@ -28,4 +28,10 @@
 	ProxyPass /alertmanager http://localhost:9093/alertmanager
 	ProxyPass / http://localhost:3000/
 	ProxyPreserveHost on
+
+	<Location /alertmanager>
+<% @admin_hosts.each do |host| -%>
+		Require ip <%= host %>
+<% end -%>
+	</Location>
 </VirtualHost>
-- 
2.45.1