summaryrefslogtreecommitdiffstats
path: root/nixos/modules/services/monitoring/prometheus/exporters.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/services/monitoring/prometheus/exporters.nix')
-rw-r--r--nixos/modules/services/monitoring/prometheus/exporters.nix16
1 files changed, 15 insertions, 1 deletions
diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix
index 8c5ec2992eda..640c6c339cf6 100644
--- a/nixos/modules/services/monitoring/prometheus/exporters.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters.nix
@@ -169,6 +169,17 @@ let
is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`.
'';
};
+ firewallRules = mkOption {
+ type = types.nullOr types.lines;
+ default = null;
+ example = literalExpression ''
+ iifname "eth0" tcp dport ${toString port} counter accept
+ '';
+ description = lib.mdDoc ''
+ Specify rules for nftables to add to the input chain
+ when {option}`services.prometheus.exporters.${name}.openFirewall` is true.
+ '';
+ };
user = mkOption {
type = types.str;
default = "${name}-exporter";
@@ -194,6 +205,7 @@ let
} // extraOpts);
} ({ config, ... }: mkIf config.openFirewall {
firewallFilter = mkDefault "-p tcp -m tcp --dport ${toString config.port}";
+ firewallRules = mkDefault ''tcp dport ${toString config.port} accept comment "${name}-exporter"'';
})];
internal = true;
default = {};
@@ -212,6 +224,7 @@ let
mkExporterConf = { name, conf, serviceOpts }:
let
enableDynamicUser = serviceOpts.serviceConfig.DynamicUser or true;
+ nftables = config.networking.nftables.enable;
in
mkIf conf.enable {
warnings = conf.warnings or [];
@@ -223,10 +236,11 @@ let
users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {
"${name}-exporter" = {};
});
- networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [
+ networking.firewall.extraCommands = mkIf (conf.openFirewall && !nftables) (concatStrings [
"ip46tables -A nixos-fw ${conf.firewallFilter} "
"-m comment --comment ${name}-exporter -j nixos-fw-accept"
]);
+ networking.firewall.extraInputRules = mkIf (conf.openFirewall && nftables) conf.firewallRules;
systemd.services."prometheus-${name}-exporter" = mkMerge ([{
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-02 16:38:13 +0000