scottmuc
commented
12 months ago Design Thoughts
For prometheus, I will take it out of the home.scottmuc.com nginx configuration. I'll create a prometheus.home.scottmuc.com DNS record and will access it over http and directly to the port it's listening on. This will require a tiny reconfigure of grafana datasources.
For grafana, it already has users configured, but I'm still going to take it out of the nginx configuration. I'll create a grafana.home.scottmuc.com DNS record and also access it directly via http and the port it is listening on. It does mean login credentials could be sniffed, but that requires someone to be on my network.
Updating the repave template will also need to be done to reflect these new changes.
A kind viewer of my PI repave video pointed out that the following URLs are anonymously and publicly accessible:
I knew this and it was intentional. I enjoy the balancing act of being private vs transparency. I like the idea of visible infrastructure and light abstractions. I prefer a home that exposes the pipes. Cupboards without doors. This perspective bleeds into my home infrastructure.
Over a couple days, I put some thought into the risks of having these endpoints accessible (I would never expose these in a professional setting). If I keep up with posting videos, I'll have a target on me.
Here are some thoughts on the pros/cons:
The pros of the keeping things they way they are are few. I personally don't need remote access (and if I do, there are better ways to do that). I don't showcase these endpoints for education purposes. The cons are that I have
nginxconfiguration clutter. I have risk exposure that's not really warranted. Though the consequences of the risk are mitigated to some extent by my ability to wipe and repave as well has having backups of the most important personal files.In summary, I'm taking on risk for no really good reason. This task will document the decisions and implementation details to adjust this.