Monitor headscale with prometheus

ansible/roles/forrest/files/prometheus/prometheus.yml

@@ -155,3 +155,13 @@ scrape_configs:
     static_configs:
       - targets:
           - speedtest_exporter:9516
+
+  - job_name: headscale
+    metrics_path: /metrics
+    static_configs:
+      - targets:
+          - "{{ nebula.clients.casey.ip }}:9090"
+    metric_relabel_configs:
+      - source_labels: [__name__]
+        regex: go_.+
+        action: drop

ansible/roles/headscale/files/headscale.yml

@@ -21,7 +21,7 @@ listen_addr: 127.0.0.1:8416
 # to keep this endpoint private to your internal
 # network
 #
-metrics_listen_addr: 127.0.0.1:9090
+metrics_listen_addr: "{{ private_ip }}:9090"
 
 # Address to listen for gRPC.
 # gRPC is used for controlling a headscale server

ansible/roles/ingress/files/nftables.conf

@@ -36,5 +36,8 @@ table inet filter {
         # Allow traffic from nebula to proxmox network
         ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
         ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept
+
+        # Allow monitoring of nebula network
+        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
     }
 }