metrics: fix iptables rules

common/metrics-exporters.nix

@@ -7,13 +7,13 @@
     enabledCollectors = [ "systemd" ];
   };
 
-  systemd.services.prometheus-node-exporter.serviceConfig = {
+  networking.firewall = {
-    # TODO: Define allowed IPs
+    # TODO: Move this into the node-exporter systemd service
-    # IPAddressDeny = "any";
+    allowedTCPPorts = [ 9100 ];
-    # IPAddressAllow = [
+    extraCommands = ''
-    #   values.chapel.ipv4
+      iptables -A INPUT -p tcp -m tcp --source 192.168.10.175/32 --dport 9100 -j ACCEPT
-    #   values.chapel.ipv6
+      iptables -A INPUT -p tcp -m tcp --dport 9100 -j DROP
-    # ];
+    '';
   };
 
   services.promtail = {

hosts/voyager/filesystems.nix

@@ -13,8 +13,16 @@
   services.zfs.autoScrub.enable = true;
   services.prometheus.exporters.zfs = {
     enable = true;
-    openFirewall = true;
+    # "ip46" is cursed, do it manually below
-    firewallFilter = "-p tcp -m tcp -s 192.168.10.175 --dport 9134"; # Only allow defiant
+    # openFirewall = true;
+    # firewallFilter = "-p tcp -m tcp --source 192.168.10.175/32 --dport 9134";
+  };
+  networking.firewall = {
+    allowedTCPPorts = [ 9134 ];
+    extraCommands = ''
+      iptables -A INPUT -p tcp -m tcp --source 192.168.10.175/32 --dport 9134 -j ACCEPT
+      iptables -A INPUT -p tcp -m tcp --dport 9134 -j DROP
+    '';
   };
 
   # Network mounts (import)