Restrict access to caddy admin api

playbooks/roles/caddy/templates/Caddyfile.j2

@@ -1,14 +1,21 @@
 {
 	email {{ admin_email }}
 
+    metrics
+
 	servers {
-		metrics
 		strict_sni_host on
 	}
 }
 
 import /etc/caddy/snippets
 
+http://{{ host_vpn.domain }} {
+    import vpn_only
+
+    metrics
+}
+
 *.serguzim.me {
 	import acmedns
 

playbooks/roles/caddy/vars/main.yml

@@ -4,13 +4,10 @@ caddy_acmedns_pass: "{{ vault_caddy.acmedns.pass }}"
 caddy_acmedns_subd: "{{ vault_caddy.acmedns.subd }}"
 caddy_acmedns_url: "https://{{ acme_dns.host }}"
 
-caddy_ports_default:
-  - "{{ host_vpn.ip }}:2019:2019"
-caddy_ports_extra: "{{ host_services | services_get_attr('ports') | flatten | services_ports_to_docker('reverse_proxy') }}"
-caddy_ports: "{{ caddy_ports_default | union(caddy_ports_extra) }}"
+caddy_ports: "{{ host_services | services_get_attr('ports') | flatten | services_ports_to_docker('reverse_proxy') }}"
 
 caddy_env:
-  CADDY_ADMIN: 0.0.0.0:2019
+  CADDY_ADMIN: unix//run/caddy-admin.sock
 
   ACMEDNS_USER: "{{ caddy_acmedns_user }}"
   ACMEDNS_PASS: "{{ caddy_acmedns_pass }}"

playbooks/roles/lgtm_stack/templates/config.alloy.j2

@@ -39,7 +39,7 @@ prometheus.scrape "node_exporter" {
 prometheus.scrape "caddy" {
     targets = [
 {% for host_data in opentofu.hosts.values() %}
-        {"__address__" = "{{ host_data.fqdn_vpn }}:2019", "instance" = "{{ host_data.hostname }}"},
+        {"__address__" = "{{ host_data.fqdn_vpn }}", "instance" = "{{ host_data.hostname }}"},
 {% endfor %}
     ]
     forward_to = [prometheus.remote_write.mimir.receiver]

services.auto.tfvars

@@ -93,7 +93,6 @@ services = {
         protocol = "udp"
         type = "reverse_proxy"
       },
-      #"2019:2019",
     ]
     auth = false
     database = false