Added firewall rule for node exporters

config/assets/suricata.yaml

@@ -1,7 +1,6 @@
-  %YAML 1.1
+%YAML 1.1
-  ---
+---
-
+vars:
-  vars:
   address-groups:
     HOME_NET: "[192.168.100.0/24]"
     EXTERNAL_NET: "!$HOME_NET"
@@ -32,17 +31,17 @@
     TEREDO_PORTS: 3544
     SIP_PORTS: "[5060, 5061]"
 
-  default-log-dir: /home/logging/logs
+default-log-dir: /home/logging/logs
-  classification-file: /etc/suricata/classification.config
+classification-file: /etc/suricata/classification.config
-  reference-config-file: /etc/suricata/reference.config
+reference-config-file: /etc/suricata/reference.config
-  default-rule-path: /etc/suricata/rules
+default-rule-path: /etc/suricata/rules
-  rule-files:
+rule-files:
   - suricata.rules
 
-  stats:
+stats:
   enabled: yes
 
-  af-packet:
+af-packet:
   - interface: enp6s18
     use-mmap: yes
     tpacket-v3: yes
@@ -50,7 +49,7 @@
     cluster-type: cluster_flow
     defrag: yes
 
-  outputs:
+outputs:
   - fast:
       enabled: yes
       filename: fast.log

config/headless.nix

@@ -14,6 +14,8 @@
       enable = true;
       port = 9002;
       enabledCollectors = [ "systemd" "processes" ];
+      openFirewall = true;
+      firewallFilter = "-s 192.168.100.41 -p tcp -m tcp --dport 9002";
   };
 
   system.stateVersion = "24.05";

config/networking.nix

@@ -17,7 +17,7 @@ in {
   };
 
   networking.nameservers = [ gateway_ip ];
-  networking.firewall.allowedTCPPorts = open_ports ++ [9002];
+  networking.firewall.allowedTCPPorts = open_ports;
   networking.interfaces.enp6s18.ipv4.addresses = [
     {
       address = ip_address;