From c53703a6b2a526104fd34aed9258ce458fb30d5b Mon Sep 17 00:00:00 2001
From: Andrew Childs <lorne@cons.org.nz>
Date: Wed, 13 Mar 2019 19:44:36 +0900
Subject: [PATCH] nixos/prometheus: use append instead of insert for opening
 firewalls (#55224)

Inserting with `-I` causes the rules to placed before `ctstate`
tracking, while `-A` places them alongside all other allow rules.
---
 nixos/modules/services/monitoring/prometheus/exporters.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix
index 0a084561002f..fa53107ef24b 100644
--- a/nixos/modules/services/monitoring/prometheus/exporters.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters.nix
@@ -119,7 +119,7 @@ let
   mkExporterConf = { name, conf, serviceOpts }:
     mkIf conf.enable {
       networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [
-        "ip46tables -I nixos-fw ${conf.firewallFilter} "
+        "ip46tables -A nixos-fw ${conf.firewallFilter} "
         "-m comment --comment ${name}-exporter -j nixos-fw-accept"
       ]);
       systemd.services."prometheus-${name}-exporter" = mkMerge ([{