nicolasberens
commented
10 months ago The solution in the MR is a bit hacky, since it uses iptables, but the tunneldigger hosts use nftables.
we should heve either:
- a /etc/nftables.d dir where every role drops their config
- a nftables role that dynamically creates the correct config depending on other roles
currently the prometheus exporter is accessible for everyone.
we migh want to add a nf/iptables rule so to limit access to the monitoring server