From 6f0c449648e8490bcb0f4afcef811058d43d5b7a Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Tue, 26 Dec 2023 12:21:30 +0100 Subject: [PATCH] metrics: fix iptables rules --- common/metrics-exporters.nix | 14 +++++++------- hosts/voyager/filesystems.nix | 12 ++++++++++-- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/common/metrics-exporters.nix b/common/metrics-exporters.nix index 26a9b10..f1675b6 100644 --- a/common/metrics-exporters.nix +++ b/common/metrics-exporters.nix @@ -7,13 +7,13 @@ enabledCollectors = [ "systemd" ]; }; - systemd.services.prometheus-node-exporter.serviceConfig = { - # TODO: Define allowed IPs - # IPAddressDeny = "any"; - # IPAddressAllow = [ - # values.chapel.ipv4 - # values.chapel.ipv6 - # ]; + networking.firewall = { + # TODO: Move this into the node-exporter systemd service + allowedTCPPorts = [ 9100 ]; + extraCommands = '' + iptables -A INPUT -p tcp -m tcp --source 192.168.10.175/32 --dport 9100 -j ACCEPT + iptables -A INPUT -p tcp -m tcp --dport 9100 -j DROP + ''; }; services.promtail = { diff --git a/hosts/voyager/filesystems.nix b/hosts/voyager/filesystems.nix index b51c9d7..c6a035e 100644 --- a/hosts/voyager/filesystems.nix +++ b/hosts/voyager/filesystems.nix @@ -13,8 +13,16 @@ services.zfs.autoScrub.enable = true; services.prometheus.exporters.zfs = { enable = true; - openFirewall = true; - firewallFilter = "-p tcp -m tcp -s 192.168.10.175 --dport 9134"; # Only allow defiant + # "ip46" is cursed, do it manually below + # openFirewall = true; + # firewallFilter = "-p tcp -m tcp --source 192.168.10.175/32 --dport 9134"; + }; + networking.firewall = { + allowedTCPPorts = [ 9134 ]; + extraCommands = '' + iptables -A INPUT -p tcp -m tcp --source 192.168.10.175/32 --dport 9134 -j ACCEPT + iptables -A INPUT -p tcp -m tcp --dport 9134 -j DROP + ''; }; # Network mounts (import)