prometheus-exporters: support nftables (eddd1e46) · Commits · nix / nixpkgs

nixos/modules/services/monitoring/prometheus/exporters.md

+1 −0

Original line number	Diff line number	Diff line
		@@ -68,6 +68,7 @@ example:
		- `extraFlags`
		- `openFirewall`
		- `firewallFilter`
		- `firewallRules`
		- `user`
		- `group`
		- As there is already a package available, the module can now be added. This

nixos/modules/services/monitoring/prometheus/exporters.nix

+15 −1

Original line number	Diff line number	Diff line
		@@ -127,6 +127,17 @@ let
		is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`.
		'';
		};
		firewallRules = mkOption {
		type = types.nullOr types.lines;
		default = null;
		example = literalExpression ''
		iifname "eth0" tcp dport ${toString port} counter accept
		'';
		description = lib.mdDoc ''
		Specify rules for nftables to add to the input chain
		when {option}`services.prometheus.exporters.${name}.openFirewall` is true.
		'';
		};
		user = mkOption {
		type = types.str;
		default = "${name}-exporter";
		@@ -152,6 +163,7 @@ let
		} // extraOpts);
		} ({ config, ... }: mkIf config.openFirewall {
		firewallFilter = mkDefault "-p tcp -m tcp --dport ${toString config.port}";
		firewallRules = mkDefault ''tcp dport ${toString config.port} accept comment "${name}-exporter"'';
		})];
		internal = true;
		default = {};
		@@ -170,6 +182,7 @@ let
		mkExporterConf = { name, conf, serviceOpts }:
		let
		enableDynamicUser = serviceOpts.serviceConfig.DynamicUser or true;
		nftables = config.networking.nftables.enable;
		in
		mkIf conf.enable {
		warnings = conf.warnings or [];
		@@ -181,10 +194,11 @@ let
		users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {
		"${name}-exporter" = {};
		});
		networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [
		networking.firewall.extraCommands = mkIf (conf.openFirewall && !nftables) (concatStrings [
		"ip46tables -A nixos-fw ${conf.firewallFilter} "
		"-m comment --comment ${name}-exporter -j nixos-fw-accept"
		]);
		networking.firewall.extraInputRules = mkIf (conf.openFirewall && nftables) conf.firewallRules;
		systemd.services."prometheus-${name}-exporter" = mkMerge ([{
		wantedBy = [ "multi-user.target" ];
		after = [ "network.target" ];