diff options
author | WilliButz <wbutz@cyberfnord.de> | 2018-08-02 15:27:00 +0200 |
---|---|---|
committer | WilliButz <wbutz@cyberfnord.de> | 2018-08-03 13:20:53 +0200 |
commit | 9216da8928bc17878635ef50dac089f01a8c6466 (patch) | |
tree | c749a22326b94c64d9d77c25ac4487a75a37f882 /nixos/modules/services/monitoring/prometheus/exporters.nix | |
parent | a4ec1ec0394eabcb0b6acd3066a0c0d631060b60 (diff) | |
download | nixpkgs-9216da8928bc17878635ef50dac089f01a8c6466.tar nixpkgs-9216da8928bc17878635ef50dac089f01a8c6466.tar.gz nixpkgs-9216da8928bc17878635ef50dac089f01a8c6466.tar.bz2 nixpkgs-9216da8928bc17878635ef50dac089f01a8c6466.tar.lz nixpkgs-9216da8928bc17878635ef50dac089f01a8c6466.tar.xz nixpkgs-9216da8928bc17878635ef50dac089f01a8c6466.tar.zst nixpkgs-9216da8928bc17878635ef50dac089f01a8c6466.zip |
nixos/prometheus-exporters: use nixos-fw chain
Use nixos-fw chain instead of INPUT so that the rules don't keep stacking everytime the firewall is reloaded. This also adds a comment to each rule about the associated exporter.
Diffstat (limited to 'nixos/modules/services/monitoring/prometheus/exporters.nix')
-rw-r--r-- | nixos/modules/services/monitoring/prometheus/exporters.nix | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 9c58a15bcd7..1d5f400250f 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -73,7 +73,7 @@ let description = '' Specify a filter for iptables to use when <option>services.prometheus.exporters.${name}.openFirewall</option> - is true. It is used as `ip46tables -I INPUT <option>firewallFilter</option> -j ACCEPT`. + is true. It is used as `ip46tables -I nixos-fw <option>firewallFilter</option> -j nixos-fw-accept`. ''; }; user = mkOption { @@ -116,9 +116,10 @@ let mkExporterConf = { name, conf, serviceOpts }: mkIf conf.enable { - networking.firewall.extraCommands = mkIf conf.openFirewall '' - ip46tables -I INPUT ${conf.firewallFilter} -j ACCEPT - ''; + networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [ + "ip46tables -I nixos-fw ${conf.firewallFilter} " + "-m comment --comment ${name}-exporter -j nixos-fw-accept" + ]); systemd.services."prometheus-${name}-exporter" = mkMerge ([{ wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; |