JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #44394 from mayflower/exporter-firewall-fix

Browse Source 
nixos/prometheus-exporters: use nixos-fw chain
This commit is contained in:
Franz Pletz 2018-08-03 13:21:00 +00:00 committed by GitHub
commit cb691b987f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
nixos/modules/services/monitoring/prometheus/exporters.nix
View File

@ -73,7 +73,7 @@ let
description = '' description = ''
Specify a filter for iptables to use when Specify a filter for iptables to use when
<option>services.prometheus.exporters.${name}.openFirewall</option> <option>services.prometheus.exporters.${name}.openFirewall</option>
is true. It is used as `ip46tables -I INPUT <option>firewallFilter</option> -j ACCEPT`. is true. It is used as `ip46tables -I nixos-fw <option>firewallFilter</option> -j nixos-fw-accept`.
''; '';
}; };
user = mkOption { user = mkOption {
@ -116,9 +116,10 @@ let
mkExporterConf = { name, conf, serviceOpts }: mkExporterConf = { name, conf, serviceOpts }:
mkIf conf.enable { mkIf conf.enable {
networking.firewall.extraCommands = mkIf conf.openFirewall '' networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [
ip46tables -I INPUT ${conf.firewallFilter} -j ACCEPT "ip46tables -I nixos-fw ${conf.firewallFilter} "
''; "-m comment --comment ${name}-exporter -j nixos-fw-accept"
]);
systemd.services."prometheus-${name}-exporter" = mkMerge ([{ systemd.services."prometheus-${name}-exporter" = mkMerge ([{
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];