felixalb/nixos-config
felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

metrics: fix iptables rules

Browse Source
This commit is contained in:
Felix Albrigtsen 2023-12-26 12:21:30 +01:00
parent ff87c90ce6
commit 773c961d55
2 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
common/metrics-exporters.nix
View File

@ -7,13 +7,13 @@
enabledCollectors = [ "systemd" ];
};
systemd.services.prometheus-node-exporter.serviceConfig = {
# TODO: Define allowed IPs
# IPAddressDeny = "any";
# IPAddressAllow = [
# values.chapel.ipv4
# values.chapel.ipv6
# ];
networking.firewall = {
# TODO: Move this into the node-exporter systemd service
allowedTCPPorts = [ 9100 ];
extraCommands = ''
iptables -A INPUT -p tcp -m tcp --source 192.168.10.175/32 --dport 9100 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9100 -j DROP
'';
};
services.promtail = {

12
hosts/voyager/filesystems.nix
View File

@ -13,8 +13,16 @@
services.zfs.autoScrub.enable = true;
services.prometheus.exporters.zfs = {
enable = true;
openFirewall = true;
firewallFilter = "-p tcp -m tcp -s 192.168.10.175 --dport 9134"; # Only allow defiant
# "ip46" is cursed, do it manually below
# openFirewall = true;
# firewallFilter = "-p tcp -m tcp --source 192.168.10.175/32 --dport 9134";
};
networking.firewall = {
allowedTCPPorts = [ 9134 ];
extraCommands = ''
iptables -A INPUT -p tcp -m tcp --source 192.168.10.175/32 --dport 9134 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9134 -j DROP
'';
};
# Network mounts (import)