(site/{dev,ls}) add firewall rules for node_exporter scraping

hieradata/site/dev.yaml

@@ -48,3 +48,12 @@ accounts::user_list:
 
 letsencrypt::server: "https://acme-staging.api.letsencrypt.org/directory"  # testing url
 profile::core::common::disable_ipv6: true
+
+profile::core::firewall::firewall:
+  "100 accept node_exporter":
+    proto: "tcp"
+    state: "NEW"
+    ipset: "ayekan src"
+    dport: "9100"
+    action: "accept"
+    require: "Ipset::Set[ayekan]"

hieradata/site/ls.yaml

@@ -47,3 +47,12 @@ accounts::user_list:
       - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsF9VQ7wjm0Rm/1HA6Zc94IAkhqol5cwT44MwwR6uzDyo+/tqa8awUnmVF+RyiJaR6NEKO6YhjkIPga7rDQJerCMLg/xfFzpRcKSi+Xw5YCQ3Z+4P8XZrICM2vzDV6rBELl4n8Bzk6ncXOcKwbUitw3aj6bJNduv6hGrhkJKlWob+cXGH+KZwDiLX82hxsWmktRWcwDEaXTFWq6dahg3/0niAojkfo2ZlJtRblSEgUBf7JITeXBGYAunAeUYE93xUC9tB1OIzisQLQKCFM2OgSjnO4NSx2r4nIPYhEOEhBnNBqF9mPqalRjoyimvF+lu/vsZ43r7nZyV4RwYbyfmVL [email protected]"
 
 profile::core::common::disable_ipv6: true
+
+profile::core::firewall::firewall:
+  "100 accept node_exporter":
+    proto: "tcp"
+    state: "NEW"
+    ipset: "ayekan src"
+    dport: "9100"
+    action: "accept"
+    require: "Ipset::Set[ayekan]"

spec/hosts/roles/perfsonar_spec.rb

@@ -31,6 +31,7 @@
           include_examples 'generic perfsonar', facts: facts
           include_examples 'ipset'
           include_examples 'firewall default', facts: facts
+          include_examples 'firewall node_exporter scraping', site: site
 
           it do
             is_expected.to contain_yum__versionlock('perfsonar-toolkit').with(

spec/support/spec/firewall.rb

@@ -55,3 +55,19 @@
     )
   end
 end
+
+shared_examples 'firewall node_exporter scraping' do |site:|
+  case site
+  when 'dev', 'ls'
+    it do
+      is_expected.to contain_firewall('100 accept node_exporter').with(
+        proto: 'tcp',
+        state: 'NEW',
+        ipset: 'ayekan src',
+        dport: '9100',
+        action: 'accept',
+        require: 'Ipset::Set[ayekan]',
+      )
+    end
+  end
+end