refactor: move mimir/grafana to services/ and use /api/services/mimir route

Move Mimir proxy from backend to collect, reusing collect's existing
BasicAuthMiddleware (Argon2id, multi-level cache). Update nginx proxy,
Grafana datasource, render.yaml, and docs accordingly.

Author: edospadoni

backend/.env.example

@@ -78,9 +78,6 @@ REDIS_URL=redis://localhost:6379
 # System configuration
 #SYSTEM_TYPES=ns8,nsec
 
-# Mimir metrics storage
-#MIMIR_URL=http://localhost:9009
-
 # ===========================================
 # AUTO-DERIVED URLS (DO NOT SET MANUALLY)
 # ===========================================

backend/README.md

@@ -234,29 +234,6 @@ backend/
 ```
 
 
-## Metrics Proxy (Mimir)
-
-Wildcard reverse proxy at `ANY /api/mimir/*` that forwards requests to a Mimir instance. **No JWT middleware** — authentication uses system credentials.
-
-**Config:**
-```bash
-MIMIR_URL=http://localhost:9009   # default
-```
-
-**Auth flow:**
-1. Client sends `Authorization: Basic base64(system_key:system_secret)`
-2. Handler decodes: `username=system_key`, `password=<public>.<secret>`
-3. DB lookup by `system_secret_public` (only active, non-suspended systems)
-4. Verifies `system_key` matches and Argon2id-verifies the secret part via `helpers.VerifySystemSecret()`
-5. Strips `/api/mimir` prefix, forwards path + query + body to `MIMIR_URL`
-6. Sets `X-Scope-OrgID: <organization_id>` on the upstream request
-7. Streams response back via `io.Copy` (no buffering — required for large metric payloads)
-
-**Notes:**
-- Public route — not protected by JWT middleware; uses its own system-credential auth.
-- Nginx must have `proxy_request_buffering off` for this path to avoid buffering large writes.
-- Route registered in `main.go` as `api.Group("/mimir").Any("/*path", methods.ProxyMimir)`.
-
 ## Related
 - [openapi.yaml](openapi.yaml) - API specification
 - [Collect](../collect/README.md) - Collect server

backend/configuration/configuration.go

@@ -67,8 +67,6 @@ type Configuration struct {
 	SMTPFrom     string `json:"smtp_from"`
 	SMTPFromName string `json:"smtp_from_name"`
 	SMTPTLS      bool   `json:"smtp_tls"`
-	// Mimir configuration
-	MimirURL string `json:"mimir_url"`
 }
 
 var Config = Configuration{}
@@ -198,13 +196,6 @@ func Init() {
 	}
 	Config.SMTPTLS = parseBoolWithDefault("SMTP_TLS", true)
 
-	// Mimir configuration
-	if os.Getenv("MIMIR_URL") != "" {
-		Config.MimirURL = os.Getenv("MIMIR_URL")
-	} else {
-		Config.MimirURL = "http://localhost:9009"
-	}
-
 	// Log successful configuration load
 	logger.LogConfigLoad("env", "configuration", true, nil)
 }

backend/main.go

@@ -135,14 +135,6 @@ func main() {
 	// ===========================================
 	api.POST("/systems/register", methods.RegisterSystem)
 
-	// ===========================================
-	// MIMIR METRICS PROXY
-	// Uses system key/secret auth (not JWT)
-	// Wildcard proxy: authenticates system, adds X-Scope-OrgID, forwards to Mimir
-	// ===========================================
-	mimirProxy := api.Group("/mimir")
-	mimirProxy.Any("/*path", methods.ProxyMimir)
-
 	// ===========================================
 	// STANDARD OAUTH2/OIDC ROUTES (for third-party apps)
 	// Uses Logto tokens directly - standard compliance

backend/methods/mimir.go

@@ -64,7 +64,6 @@ tags:
     description: Collect service rebranding endpoints for systems
   - name: Collect - Metrics
     description: Collect service metrics proxy to Mimir (Prometheus remote_write and query)
-
 security:
   - BearerAuth: []
 
@@ -8134,7 +8133,7 @@ paths:
   # METRICS ENDPOINTS (Collect - Mimir Proxy)
   # ===========================================
 
-  /api/mimir/{path}:
+  /api/services/mimir/{path}:
     parameters:
       - name: path
         in: path
@@ -8152,14 +8151,14 @@ paths:
         `system_secret` as password), injects the `X-Scope-OrgID` header with the
         system's `organization_id` for multi-tenant isolation, and reverse-proxies
         the request to Mimir. Typical use: Grafana PromQL queries via
-        `GET /api/mimir/prometheus/api/v1/query`.
+        `GET /api/services/mimir/prometheus/api/v1/query`.
       security:
         - BasicAuth: []
       responses:
         '200':
           description: Proxied response from Mimir
         '400':
-          $ref: '#/components/responses/ValidationError'
+          $ref: '#/components/responses/BadRequest'
         '401':
           $ref: '#/components/responses/Unauthorized'
         '500':
@@ -8174,7 +8173,7 @@ paths:
         `system_secret` as password), injects the `X-Scope-OrgID` header with the
         system's `organization_id` for multi-tenant isolation, and reverse-proxies
         the request to Mimir. Primary use case: Prometheus `remote_write` ingestion
-        via `POST /api/mimir/api/v1/push` from NethServer systems.
+        via `POST /api/services/mimir/api/v1/push` from NethServer systems.
       security:
         - BasicAuth: []
       requestBody:
@@ -8194,7 +8193,7 @@ paths:
         '204':
           description: No content — Mimir acknowledged the write with no response body
         '400':
-          $ref: '#/components/responses/ValidationError'
+          $ref: '#/components/responses/BadRequest'
         '401':
           $ref: '#/components/responses/Unauthorized'
         '500':
@@ -8224,7 +8223,7 @@ paths:
         '204':
           description: No content
         '400':
-          $ref: '#/components/responses/ValidationError'
+          $ref: '#/components/responses/BadRequest'
         '401':
           $ref: '#/components/responses/Unauthorized'
         '500':
@@ -8247,8 +8246,9 @@ paths:
         '204':
           description: No content
         '400':
-          $ref: '#/components/responses/ValidationError'
+          $ref: '#/components/responses/BadRequest'
         '401':
           $ref: '#/components/responses/Unauthorized'
         '500':
           $ref: '#/components/responses/InternalServerError'
+

backend/openapi.yaml

@@ -86,6 +86,9 @@ REDIS_URL=redis://localhost:6379
 #CIRCUIT_BREAKER_THRESHOLD=10
 #CIRCUIT_BREAKER_TIMEOUT=60s
 
+# Mimir metrics storage
+#MIMIR_URL=http://localhost:9009
+
 # Logging configuration
 #LOG_LEVEL=info
 #LOG_FORMAT=json

collect/.env.example

@@ -80,6 +80,9 @@ type Configuration struct {
 
 	// Heartbeat monitoring configuration
 	HeartbeatTimeoutMinutes int `json:"heartbeat_timeout_minutes"`
+
+	// Mimir configuration
+	MimirURL string `json:"mimir_url"`
 }
 
 var Config = Configuration{}
@@ -161,6 +164,13 @@ func Init() {
 	// Heartbeat monitoring configuration
 	Config.HeartbeatTimeoutMinutes = parseIntWithDefault("HEARTBEAT_TIMEOUT_MINUTES", 10)
 
+	// Mimir configuration
+	if os.Getenv("MIMIR_URL") != "" {
+		Config.MimirURL = os.Getenv("MIMIR_URL")
+	} else {
+		Config.MimirURL = "http://localhost:9009"
+	}
+
 	// Log successful configuration load
 	logger.LogConfigLoad("env", "configuration", true, nil)
 }

collect/configuration/configuration.go

@@ -158,6 +158,15 @@ func main() {
 		systemsGroup.GET("/rebranding/:product_id/:asset", methods.GetSystemRebrandingAsset)
 	}
 
+	// ===========================================
+	// EXTERNAL SERVICES PROXY
+	// ===========================================
+	servicesGroup := api.Group("/services", middleware.BasicAuthMiddleware())
+	{
+		mimirProxy := servicesGroup.Group("/mimir")
+		mimirProxy.Any("/*path", methods.ProxyMimir)
+	}
+
 	// Handle missing endpoints
 	router.NoRoute(func(c *gin.Context) {
 		c.JSON(http.StatusNotFound, response.NotFound("api not found", nil))