modules/monitoring: Migrate firewall from iptables to NixOS declarative

modules/monitoring/default.nix

@@ -61,9 +61,6 @@ in
 
     services.prometheus.exporters.node = {
       enable = true;
-      #listenAddress = "${monitoring-network-base}${cfg.id}";
-      openFirewall = true;
-      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100";
       enabledCollectors = [
        "systemd"
       ];
@@ -80,14 +77,10 @@ in
 
     services.prometheus.exporters.bird = mkIf cfg.bird {
       enable = true;
-      openFirewall = true;
-      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324";
     };
 
     services.prometheus.exporters.blackbox = mkIf cfg.blackbox {
       enable = true;
-      openFirewall = true;
-      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115";
       configFile = pkgs.writeText "blackbox.yml" ''
         modules:
           icmp6:
@@ -109,8 +102,13 @@ in
       listen = "[::]:9152";
     };
 
-    networking.firewall.extraCommands = ''
+    networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
-      ip46tables -A nixos-fw -i wg-monitoring -p tcp -m tcp --dport 9152 -m comment --comment nixos-exporter -j nixos-fw-accept
+      9100 # node-exporter
-    '';
+      9152 # nixos-exporter
+    ] ++ (if cfg.bird then [
+      9324 # bird-exporter
+    ] else []) ++ (if cfg.blackbox then [
+      9115 # blackbox-exporter
+    ] else []);
   };
 }