metrics: fix iptables rules

2023-12-26 12:21:30 +01:00
parent ff87c90ce6
commit 773c961d55
2 changed files with 17 additions and 9 deletions
--- a/hosts/voyager/filesystems.nix
+++ b/hosts/voyager/filesystems.nix
@@ -13,8 +13,16 @@
  services.zfs.autoScrub.enable = true;
  services.prometheus.exporters.zfs = {
    enable = true;
-    openFirewall = true;
-    firewallFilter = "-p tcp -m tcp -s 192.168.10.175 --dport 9134"; # Only allow defiant
+    # "ip46" is cursed, do it manually below
+    # openFirewall = true;
+    # firewallFilter = "-p tcp -m tcp --source 192.168.10.175/32 --dport 9134";
+  };
+  networking.firewall = {
+    allowedTCPPorts = [ 9134 ];
+    extraCommands = ''
+      iptables -A INPUT -p tcp -m tcp --source 192.168.10.175/32 --dport 9134 -j ACCEPT
+      iptables -A INPUT -p tcp -m tcp --dport 9134 -j DROP
+    '';
  };

  # Network mounts (import)