modules/monitoring: Migrate firewall from iptables to NixOS declarative

2025-05-08 12:03:35 +02:00
parent 69ccc0c692
commit 0b6d9623bc
1 changed files with 8 additions and 10 deletions
--- a/modules/monitoring/default.nix
+++ b/modules/monitoring/default.nix
@@ -61,9 +61,6 @@ in

    services.prometheus.exporters.node = {
      enable = true;
-      #listenAddress = "${monitoring-network-base}${cfg.id}";
-      openFirewall = true;
-      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100";
      enabledCollectors = [
       "systemd"
      ];
@@ -80,14 +77,10 @@ in

    services.prometheus.exporters.bird = mkIf cfg.bird {
      enable = true;
-      openFirewall = true;
-      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324";
    };

    services.prometheus.exporters.blackbox = mkIf cfg.blackbox {
      enable = true;
-      openFirewall = true;
-      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115";
      configFile = pkgs.writeText "blackbox.yml" ''
        modules:
          icmp6:
@@ -109,8 +102,13 @@ in
      listen = "[::]:9152";
    };

-    networking.firewall.extraCommands = ''
-      ip46tables -A nixos-fw -i wg-monitoring -p tcp -m tcp --dport 9152 -m comment --comment nixos-exporter -j nixos-fw-accept
-    '';
+    networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
+      9100 # node-exporter
+      9152 # nixos-exporter
+    ] ++ (if cfg.bird then [
+      9324 # bird-exporter
+    ] else []) ++ (if cfg.blackbox then [
+      9115 # blackbox-exporter
+    ] else []);
  };
 }