Unverified Commit 598c71da authored by Maciej Krüger's avatar Maciej Krüger Committed by GitHub
Browse files

Merge pull request #222415 from justinas/prometheus-exporters-nftables 

prometheus-exporters: support nftables
parents 68a93a15 eddd1e46

nixos/modules/services/monitoring/prometheus/exporters.md

+1 −0
Original line number Diff line number Diff line
@@ -72,6 +72,7 @@ example: 
      - `extraFlags`

      - `openFirewall`

      - `firewallFilter`

      - `firewallRules`

      - `user`

      - `group`

  - As there is already a package available, the module can now be added. This

nixos/modules/services/monitoring/prometheus/exporters.nix

+15 −1
Original line number Diff line number Diff line
@@ -169,6 +169,17 @@ let 
        is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`.

      '';

    };

    firewallRules = mkOption {

      type = types.nullOr types.lines;

      default = null;

      example = literalExpression ''

        iifname "eth0" tcp dport ${toString port} counter accept

      '';

      description = lib.mdDoc ''

        Specify rules for nftables to add to the input chain

        when {option}`services.prometheus.exporters.${name}.openFirewall` is true.

      '';

    };

    user = mkOption {

      type = types.str;

      default = "${name}-exporter";
@@ -194,6 +205,7 @@ let 
        } // extraOpts);

      } ({ config, ... }: mkIf config.openFirewall {

        firewallFilter = mkDefault "-p tcp -m tcp --dport ${toString config.port}";

        firewallRules = mkDefault ''tcp dport ${toString config.port} accept comment "${name}-exporter"'';

      })];

      internal = true;

      default = {};
@@ -212,6 +224,7 @@ let 
  mkExporterConf = { name, conf, serviceOpts }:

    let

      enableDynamicUser = serviceOpts.serviceConfig.DynamicUser or true;

      nftables = config.networking.nftables.enable;

    in

    mkIf conf.enable {

      warnings = conf.warnings or [];
@@ -223,10 +236,11 @@ let 
      users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {

        "${name}-exporter" = {};

      });

      networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [

      networking.firewall.extraCommands = mkIf (conf.openFirewall && !nftables) (concatStrings [

        "ip46tables -A nixos-fw ${conf.firewallFilter} "

        "-m comment --comment ${name}-exporter -j nixos-fw-accept"

      ]);

      networking.firewall.extraInputRules = mkIf (conf.openFirewall && nftables) conf.firewallRules;

      systemd.services."prometheus-${name}-exporter" = mkMerge ([{

        wantedBy = [ "multi-user.target" ];

        after = [ "network.target" ];