From 11f944128f7c923ac5aeb1bb8cd26d14ac8c3f5a Mon Sep 17 00:00:00 2001
From: Xe Iaso <me@xeiaso.net>
Date: Wed, 22 Apr 2026 19:40:21 -0400
Subject: [PATCH] feat(metrics): enable mTLS support

Signed-off-by: Xe Iaso <me@xeiaso.net>
---
 lib/metrics/metrics.go | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/lib/metrics/metrics.go b/lib/metrics/metrics.go
index 5aad62cf..d94c089d 100644
--- a/lib/metrics/metrics.go
+++ b/lib/metrics/metrics.go
@@ -3,11 +3,13 @@ package metrics
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"log/slog"
 	"net/http"
 	"net/http/pprof"
+	"os"
 	"time"
 
 	"github.com/TecharoHQ/anubis/internal"
@@ -78,6 +80,21 @@ func (s *Server) run(ctx context.Context, lg *slog.Logger) error {
 		srv.TLSConfig = &tls.Config{
 			GetCertificate: kpr.GetCertificate,
 		}
+
+		if s.Config.TLS.CA != "" {
+			caCert, err := os.ReadFile(s.Config.TLS.CA)
+			if err != nil {
+				return fmt.Errorf("%w %s: %w", config.ErrCantReadFile, s.Config.TLS.CA, err)
+			}
+
+			certPool := x509.NewCertPool()
+			if !certPool.AppendCertsFromPEM(caCert) {
+				return fmt.Errorf("%w %s", config.ErrInvalidMetricsCACertificate, s.Config.TLS.CA)
+			}
+
+			srv.TLSConfig.ClientCAs = certPool
+			srv.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
+		}
 	}
 
 	lg.Debug("listening for metrics", "url", metricsURL)