diff --git a/hieradata/site/dev.yaml b/hieradata/site/dev.yaml
index 14db4b4dc0..380a63d501 100644
--- a/hieradata/site/dev.yaml
+++ b/hieradata/site/dev.yaml
@@ -61,5 +61,11 @@ profile::core::firewall::firewall:
     ipset: "ayekan src"
     dport: "9100"
     action: "accept"
+  "101 accept node_exporter":
+    proto: "tcp"
+    state: "NEW"
+    ipset: "dev src"  # allow ruka to access node_exporter
+    dport: "9100"
+    action: "accept"
 
 profile::core::docker::version: "24.0.9"
diff --git a/spec/support/spec/firewall.rb b/spec/support/spec/firewall.rb
index 49aaee735b..0660fdc9f3 100644
--- a/spec/support/spec/firewall.rb
+++ b/spec/support/spec/firewall.rb
@@ -58,7 +58,27 @@
 
 shared_examples 'firewall node_exporter scraping' do |site:|
   case site
-  when 'dev', 'ls'
+  when 'dev'
+    it do
+      is_expected.to contain_firewall('100 accept node_exporter').with(
+        proto: 'tcp',
+        state: 'NEW',
+        ipset: 'ayekan src',
+        dport: '9100',
+        action: 'accept',
+      )
+    end
+
+    it do
+      is_expected.to contain_firewall('101 accept node_exporter').with(
+        proto: 'tcp',
+        state: 'NEW',
+        ipset: 'dev src',
+        dport: '9100',
+        action: 'accept',
+      )
+    end
+  when 'ls'
     it do
       is_expected.to contain_firewall('100 accept node_exporter').with(
         proto: 'tcp',