From 575afe3fa7b65e92afa4beab026af52d2d35e83b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 9 Jan 2017 15:29:35 +0100
Subject: [PATCH] prometheus exporter modules: unify firewall handling

---
 .../monitoring/prometheus/blackbox-exporter.nix        | 10 ++++++++++
 .../services/monitoring/prometheus/json-exporter.nix   | 10 ++++++++++
 .../services/monitoring/prometheus/nginx-exporter.nix  | 10 +++++++++-
 .../services/monitoring/prometheus/node-exporter.nix   | 10 ++++++++++
 .../monitoring/prometheus/varnish-exporter.nix         | 10 ++++++++++
 5 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/monitoring/prometheus/blackbox-exporter.nix b/nixos/modules/services/monitoring/prometheus/blackbox-exporter.nix
index a1ecd6ef58cd..7a343299c315 100644
--- a/nixos/modules/services/monitoring/prometheus/blackbox-exporter.nix
+++ b/nixos/modules/services/monitoring/prometheus/blackbox-exporter.nix
@@ -31,10 +31,20 @@ in {
           Extra commandline options when launching the blackbox exporter.
         '';
       };
+
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Open port in firewall for incoming connections.
+        '';
+      };
     };
   };
 
   config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port;
+
     systemd.services.prometheus-blackbox-exporter = {
       description = "Prometheus exporter for blackbox probes";
       unitConfig.Documentation = "https://github.com/prometheus/blackbox_exporter";
diff --git a/nixos/modules/services/monitoring/prometheus/json-exporter.nix b/nixos/modules/services/monitoring/prometheus/json-exporter.nix
index ff3a137a0cf9..6bc56df9834b 100644
--- a/nixos/modules/services/monitoring/prometheus/json-exporter.nix
+++ b/nixos/modules/services/monitoring/prometheus/json-exporter.nix
@@ -38,10 +38,20 @@ in {
           Extra commandline options when launching the JSON exporter.
         '';
       };
+
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Open port in firewall for incoming connections.
+        '';
+      };
     };
   };
 
   config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port;
+
     systemd.services.prometheus-json-exporter = {
       description = "Prometheus exporter for JSON over HTTP";
       unitConfig.Documentation = "https://github.com/kawamuray/prometheus-json-exporter";
diff --git a/nixos/modules/services/monitoring/prometheus/nginx-exporter.nix b/nixos/modules/services/monitoring/prometheus/nginx-exporter.nix
index 8aa0184e53ad..1ccafee3b18b 100644
--- a/nixos/modules/services/monitoring/prometheus/nginx-exporter.nix
+++ b/nixos/modules/services/monitoring/prometheus/nginx-exporter.nix
@@ -41,11 +41,19 @@ in {
           Extra commandline options when launching the nginx exporter.
         '';
       };
+
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Open port in firewall for incoming connections.
+        '';
+      };
     };
   };
 
   config = mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [ cfg.port ];
+    networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port;
 
     systemd.services.prometheus-nginx-exporter = {
       after = [ "network.target" "nginx.service" ];
diff --git a/nixos/modules/services/monitoring/prometheus/node-exporter.nix b/nixos/modules/services/monitoring/prometheus/node-exporter.nix
index 52dc14effc45..0cf0b85afb57 100644
--- a/nixos/modules/services/monitoring/prometheus/node-exporter.nix
+++ b/nixos/modules/services/monitoring/prometheus/node-exporter.nix
@@ -44,10 +44,20 @@ in {
           Extra commandline options when launching the node exporter.
         '';
       };
+
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Open port in firewall for incoming connections.
+        '';
+      };
     };
   };
 
   config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port;
+
     systemd.services.prometheus-node-exporter = {
       description = "Prometheus exporter for machine metrics";
       unitConfig.Documentation = "https://github.com/prometheus/node_exporter";
diff --git a/nixos/modules/services/monitoring/prometheus/varnish-exporter.nix b/nixos/modules/services/monitoring/prometheus/varnish-exporter.nix
index 0f608760e917..143ebb62aeac 100644
--- a/nixos/modules/services/monitoring/prometheus/varnish-exporter.nix
+++ b/nixos/modules/services/monitoring/prometheus/varnish-exporter.nix
@@ -25,10 +25,20 @@ in {
           Extra commandline options when launching the Varnish exporter.
         '';
       };
+
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Open port in firewall for incoming connections.
+        '';
+      };
     };
   };
 
   config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port;
+
     systemd.services.prometheus-varnish-exporter = {
       description = "Prometheus exporter for Varnish metrics";
       unitConfig.Documentation = "https://github.com/jonnenauha/prometheus_varnish_exporter";