From 662f7d702e4a6541c2e66a12522194814bb64315 Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Tue, 17 Feb 2026 18:25:18 +0100
Subject: [PATCH] fix

---
 flake.nix                | 36 ++++++++++++------------------------
 hosts/matrix/default.nix |  4 ----
 hosts/matrix/nginx.nix   |  7 +++++++
 hosts/matrix/synapse.nix |  2 +-
 4 files changed, 20 insertions(+), 29 deletions(-)

diff --git a/flake.nix b/flake.nix
index 9ca59e7..c1f951f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -46,18 +46,6 @@
           { environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
           {
             age.secrets = {
-              pushover_app_token = {
-                file = ./secrets/pushover_app_token.age;
-                mode = "440";
-                owner = "root";
-                group = "root";
-              };
-              pushover_user_key = {
-                file = ./secrets/pushover_user_key.age;
-                mode = "440";
-                owner = "root";
-                group = "root";
-              };
               matrix_registration_shared_secret = {
                 file = ./secrets/matrix_registration_shared_secret.age;
                 mode = "440";
@@ -82,18 +70,6 @@
                 owner = "root";
                 group = "root";
               };
-              grafana_secret_key = {
-                file = ./secrets/grafana_secret_key.age;
-                mode = "440";
-                owner = "grafana";
-                group = "grafana";
-              };
-              grafana_admin_password = {
-                file = ./secrets/grafana_admin_password.age;
-                mode = "440";
-                owner = "grafana";
-                group = "grafana";
-              };
             };
           }
           ./hosts/matrix
@@ -146,6 +122,18 @@
           { environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
           {
             age.secrets = {
+              grafana_secret_key = {
+                file = ./secrets/grafana_secret_key.age;
+                mode = "440";
+                owner = "grafana";
+                group = "grafana";
+              };
+              grafana_admin_password = {
+                file = ./secrets/grafana_admin_password.age;
+                mode = "440";
+                owner = "grafana";
+                group = "grafana";
+              };
             };
           }
           ./hosts/monitoring
diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix
index 7b5fb53..1b321d8 100644
--- a/hosts/matrix/default.nix
+++ b/hosts/matrix/default.nix
@@ -21,10 +21,6 @@
       allowedUDPPorts = [
         443 # HTTP/3
       ];
-      extraInputRules = ''
-        ip saddr 195.160.173.14/32 tcp dport 9009 accept comment "Allow monitoring to scrape"
-        ip6 saddr 2001:678:760:cccb::14/128 tcp dport 9009 accept comment "Allow monitoring to scrape"
-      '';
     };
   };
 
diff --git a/hosts/matrix/nginx.nix b/hosts/matrix/nginx.nix
index ff0efe7..fd354bd 100644
--- a/hosts/matrix/nginx.nix
+++ b/hosts/matrix/nginx.nix
@@ -18,6 +18,13 @@
           proxy_http_version 1.1;
         '';
       };
+      "/metrics" = {
+        return = "204 \"🔍️\"";
+        extraConfig = ''
+          allow 2001:678:760:cccb::14;
+          allow 195.160.173.14;
+          deny all;
+      };
     };
   };
 }
diff --git a/hosts/matrix/synapse.nix b/hosts/matrix/synapse.nix
index 0032ebe..b49b881 100644
--- a/hosts/matrix/synapse.nix
+++ b/hosts/matrix/synapse.nix
@@ -32,7 +32,7 @@
             type = "metrics";
             tls = false;
             port = 9009;
-            bind_addresses = [ "::" "0.0.0.0" ];
+            bind_addresses = [ "::1" ];
             resources = [
               {
                 compress = false;