refactor: introduce Services and Monitoring sections

author: Martin Fischer <martin@push-f.com> 2025-12-25 18:59:14 +0100
committer: Martin Fischer <martin@push-f.com> 2025-12-26 08:03:25 +0100
commit: a36b384657a11acdb267bfefa9bc7719ab6ab4a0 (patch)
tree: 875f01397f3b93361221d220facc1d1b6931960c
parent: fe82080cb6b38e3100b08308d48bd78220c9ec3c (diff)
3 files changed, 205 insertions, 160 deletions
diff --git a/nixos/hosts/ev/default.nix b/nixos/hosts/ev/default.nix
index 0723b8d..459b48f 100644
--- a/nixos/hosts/ev/default.nix
+++ b/nixos/hosts/ev/default.nix
@@ -48,19 +48,13 @@ in
   # unsure why this is necessary
   networking.interfaces.enp3s0.useDHCP = true;
 
-  home-automation.zigbee2mqttPort = ports.zigbee2mqtt;
-  qbittorrent.webUiPort = ports.qbittorrent;
-  qbittorrent.networkNamespace = "se";
-  monitoring.alloyUiPort = ports.grafanaAlloy;
-  monitoring.lokiPort = ports.grafanaLoki;
-  monitoring.prometheusPort = ports.prometheus;
-  monitoring.prometheusNodeExporterPort = ports.prometheusNodeExporter;
-  exporters.sqlExporterPort = ports.prometheusSqlExporter;
-  hosehawk.port = ports.hosehawk;
-  miniflux.port = ports.miniflux;
-  navidrome.port = ports.navidrome;
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "ev";
+  networking.networkmanager.enable = true;
 
-  home-automation.zigbeeSerialPort = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_e2fed465c59ded11962fd7a5a7669f5d-if00-port0";
+  time.timeZone = "Europe/Vienna";
 
   fileSystems = {
     "/mnt/personal" = {
@@ -75,6 +69,58 @@ in
     };
   };
 
+  users.users = {
+    martin = {
+      isNormalUser = true;
+      extraGroups = [
+        "networkmanager"
+        "wheel"
+      ];
+    };
+  };
+
+  # Services
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."ev.tailnet" = helpers.serviceIndexHost "ev.tailnet" ports.webUis;
+  };
+
+  home-automation = {
+    zigbee2mqttPort = ports.zigbee2mqtt;
+    zigbeeSerialPort = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_e2fed465c59ded11962fd7a5a7669f5d-if00-port0";
+  };
+
+  hosehawk = {
+    port = ports.hosehawk;
+  };
+
+  miniflux = {
+    port = ports.miniflux;
+  };
+
+  navidrome = {
+    port = ports.navidrome;
+  };
+
+  qbittorrent = {
+    webUiPort = ports.qbittorrent;
+    networkNamespace = "se";
+  };
+
+  # Monitoring
+
+  exporters = {
+    sqlExporterPort = ports.prometheusSqlExporter;
+  };
+
+  monitoring = {
+    alloyUiPort = ports.grafanaAlloy;
+    lokiPort = ports.grafanaLoki;
+    prometheusPort = ports.prometheus;
+    prometheusNodeExporterPort = ports.prometheusNodeExporter;
+  };
+
   # Backups
   age.secrets.restic-db.file = ./secrets/restic-db.age;
   age.secrets.restic-media.file = ./secrets/restic-media.age;
@@ -107,23 +153,6 @@ in
     };
   };
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "ev";
-
-  networking.networkmanager.enable = true;
-
-  time.timeZone = "Europe/Vienna";
-
-  users.users.martin = {
-    isNormalUser = true;
-    extraGroups = [
-      "networkmanager"
-      "wheel"
-    ];
-  };
-
   # Open ports in the firewall.
   networking.firewall.allowedTCPPorts = [
     # Enabling openssh automatically opens its port in the firewall.
@@ -131,11 +160,6 @@ in
   ];
   networking.firewall.allowedUDPPorts = [];
 
-  services.nginx = {
-    enable = true;
-    virtualHosts."ev.tailnet" = helpers.serviceIndexHost "ev.tailnet" ports.webUis;
-  };
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
diff --git a/nixos/hosts/tente/default.nix b/nixos/hosts/tente/default.nix
index 8d2f4f3..54880dd 100644
--- a/nixos/hosts/tente/default.nix
+++ b/nixos/hosts/tente/default.nix
@@ -38,9 +38,107 @@ in
     "${sources.my-spec-pub}/service.nix"
   ];
 
-  web-personal.domain = baseDomain;
-  web-personal.matrixApiDomain = config.matrix.apiDomain;
-  gitolite.dataDir = gitoliteDataDir;
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  networking.hostName = "tente";
+  networking.networkmanager.enable = true;
+
+  time.timeZone = "Europe/Vienna";
+
+  users.groups = {
+    www-data = {};
+    www-generator = {};
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /srv/www 2770 root www-data -"
+  ];
+
+  users.users = {
+    martin = {
+      isNormalUser = true;
+      extraGroups = [
+        "wheel" # Enable ‘sudo’ for the user.
+        "www-data"
+      ];
+    };
+
+    www-generator = {
+      isSystemUser = true;
+      group = "www-generator";
+    };
+  };
+
+  # Services
+
+  # comes with a pre-configured SSH jail
+  services.fail2ban.enable = true;
+
+  gitolite = {
+    dataDir = gitoliteDataDir;
+  };
+
+  grafana = {
+    port = ports.grafana;
+    matrixForwarderPort = ports.grafanaMatrixForwarder;
+    matrixServerUrl = "http://localhost:${toString ports.matrix}";
+  };
+
+  headscale = {
+    domain = "tailscale.${baseDomain}";
+    port = ports.headscale;
+  };
+
+  matrix = {
+    serverName = baseDomain;
+    apiDomain = "matrix.${baseDomain}";
+    port = ports.matrix;
+  };
+
+  # Websites
+
+  services.nginx = {
+    enable = true;
+    group = "www-data";
+
+    virtualHosts."tente.tailnet" = helpers.serviceIndexHost "tente.tailnet" ports.webUis;
+
+    appendHttpConfig = ''
+      # Close the connection for unknown Host headers.
+      # If we don't do this nginx serves some random virtualhost.
+      server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+        listen 443 ssl default_server;
+        listen [::]:443 ssl default_server;
+        ssl_reject_handshake on;
+        return 444;
+      }
+    '';
+
+    commonHttpConfig = helpers.commonHttpConfig;
+  };
+
+  security.acme = {
+    acceptTerms = true; # https://letsencrypt.org/repository/
+    defaults.email = acmeEmail;
+  };
+
+  services.logrotate.settings.nginx = {
+    delaycompress = false;
+  };
+
+  web-personal = {
+    domain = baseDomain;
+    matrixApiDomain = config.matrix.apiDomain;
+  };
+
   gitWeb = {
     domain = "git.${baseDomain}";
     reposDir = reposDir;
@@ -50,48 +148,39 @@ in
     user = config.services.gitolite.user;
     group = config.services.gitolite.group;
   };
-  headscale.domain = "tailscale.${baseDomain}";
-  matrix.serverName = baseDomain;
-  matrix.apiDomain = "matrix.${baseDomain}";
-
-  users.users.www-generator = {
-    isSystemUser = true;
-    group = "www-generator";
-  };
-  users.groups.www-generator = {};
 
-  services.lex-surf =
+  services.geopos-share =
     let
-      domain = "lex.surf";
+      domain = "geopos.link";
     in
     {
       enable = true;
-      domain = domain;
-      enableACME = true;
-      fetchUser = "www-generator";
+      virtualHost = domain;
       nginx = {
+        enableACME = true;
         forceSSL = true;
         extraConfig = helpers.mkNginxConfig domain;
       };
     };
 
-  services.osm_proposals =
+  services.lex-surf =
     let
-      domain = "osm-proposals.${baseDomain}";
+      domain = "lex.surf";
     in
     {
       enable = true;
-      virtualHost = domain;
+      domain = domain;
+      enableACME = true;
+      fetchUser = "www-generator";
       nginx = {
-        enableACME = true;
         forceSSL = true;
         extraConfig = helpers.mkNginxConfig domain;
       };
     };
 
-  services.geopos-share =
+  services.osm_proposals =
     let
-      domain = "geopos.link";
+      domain = "osm-proposals.${baseDomain}";
     in
     {
       enable = true;
@@ -132,11 +221,13 @@ in
       };
     };
 
-  grafana = {
-    port = ports.grafana;
-    matrixForwarderPort = ports.grafanaMatrixForwarder;
-    matrixServerUrl = "http://localhost:${toString ports.matrix}";
+  # Monitoring
+
+  exporters = {
+    sqlExporterPort = ports.prometheusSqlExporter;
+    storageboxExporterPort = ports.prometheusStorageboxExporter;
   };
+
   monitoring = {
     alloyUiPort = ports.grafanaAlloy;
     lokiPort = ports.grafanaLoki;
@@ -151,16 +242,6 @@ in
     prometheusPort = ports.prometheus;
     prometheusNodeExporterPort = ports.prometheusNodeExporter;
   };
-  exporters = {
-    sqlExporterPort = ports.prometheusSqlExporter;
-    storageboxExporterPort = ports.prometheusStorageboxExporter;
-  };
-  headscale.port = ports.headscale;
-  matrix.port = ports.matrix;
-
-  services.logrotate.settings.nginx = {
-    delaycompress = false;
-  };
 
   # Backups
 
@@ -185,22 +266,6 @@ in
     pruneOpts = ["--keep-daily 30" "--keep-weekly 8" "--keep-monthly 12"];
   };
 
-  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  # boot.loader.grub.efiSupport = true;
-  # boot.loader.grub.efiInstallAsRemovable = true;
-  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  # Define on which hard drive you want to install Grub.
-  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
-
-  networking.hostName = "tente"; # Define your hostname.
-  # Pick only one of the below networking options.
-  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
-
-  # Set your time zone.
-  time.timeZone = "Europe/Vienna";
-
   # Select internationalisation properties.
   # i18n.defaultLocale = "en_US.UTF-8";
   # console = {
@@ -212,16 +277,6 @@ in
   # Enable the X11 windowing system.
   # services.xserver.enable = true;
 
-  users.users.martin = {
-    isNormalUser = true;
-    extraGroups = [
-      "wheel" # Enable ‘sudo’ for the user.
-      "www-data"
-    ];
-    packages = with pkgs; [
-    ];
-  };
-
   # List packages installed in system profile. To search, run:
   # $ nix search wget
    environment.systemPackages = with pkgs; [
@@ -245,44 +300,6 @@ in
   ];
   networking.firewall.allowedUDPPorts = [];
 
-  # comes with a pre-configured SSH jail
-  services.fail2ban.enable = true;
-
-  users.groups.www-data = {};
-
-  systemd.tmpfiles.rules = [
-    "d /srv/www 2770 root www-data -"
-  ];
-
-  services = {
-    nginx = {
-      enable = true;
-      group = "www-data";
-
-      virtualHosts."tente.tailnet" = helpers.serviceIndexHost "tente.tailnet" ports.webUis;
-
-      appendHttpConfig = ''
-        # Close the connection for unknown Host headers.
-        # If we don't do this nginx serves some random virtualhost.
-        server {
-          listen 80 default_server;
-          listen [::]:80 default_server;
-          listen 443 ssl default_server;
-          listen [::]:443 ssl default_server;
-          ssl_reject_handshake on;
-          return 444;
-        }
-      '';
-
-      commonHttpConfig = helpers.commonHttpConfig;
-    };
-  };
-
-  security.acme = {
-    acceptTerms = true; # https://letsencrypt.org/repository/
-    defaults.email = acmeEmail;
-  };
-
   # Copy the NixOS configuration file and link it from the resulting system
   # (/run/current-system/configuration.nix). This is useful in case you
   # accidentally delete configuration.nix.
diff --git a/nixos/profiles/workstation/graphical.nix b/nixos/profiles/workstation/graphical.nix
index c30a24e..1cbb9de 100644
--- a/nixos/profiles/workstation/graphical.nix
+++ b/nixos/profiles/workstation/graphical.nix
@@ -1,6 +1,35 @@
 { config, pkgs, ... }:
 
 {
+  # Services
+
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+  security.rtkit.enable = true; # recommended for PipeWire
+  hardware.bluetooth.enable = true;
+
+  services.upower.enable = true;
+
+  systemd.user.services.hugo-notes = {
+    after = ["network.target"];
+
+    serviceConfig = {
+      Type = "simple";
+      WorkingDirectory = "%h/repos/notes";
+      ExecStart = "${pkgs.hugo}/bin/hugo serve --port 1313";
+      Restart = "on-failure";
+      RestartSec = "5s";
+    };
+
+    wantedBy = ["default.target"];
+  };
+
+  # Packages
+
   programs.sway = {
     enable = true;
     extraPackages = [];
@@ -49,8 +78,6 @@
     poweralertd
   ];
 
-  services.upower.enable = true;
-
   # This generates /etc/xdg/mimeapps.list. The XDG spec and xdg-open don't support wildcards in MIME types.
   # TODO: use an xdg-open alternative that supports wildcards in MIME types and doesn't use mimeapps.list
   xdg.mime.defaultApplications =
@@ -66,30 +93,7 @@
       "x-scheme-handler/mailto" = "thunderbird.desktop";
     };
 
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-  };
-  security.rtkit.enable = true; # recommended for PipeWire
-  hardware.bluetooth.enable = true;
-
   programs.thunderbird = {
     enable = true;
   };
-
-  systemd.user.services.hugo-notes = {
-    after = ["network.target"];
-
-    serviceConfig = {
-      Type = "simple";
-      WorkingDirectory = "%h/repos/notes";
-      ExecStart = "${pkgs.hugo}/bin/hugo serve --port 1313";
-      Restart = "on-failure";
-      RestartSec = "5s";
-    };
-
-    wantedBy = ["default.target"];
-  };
 }
author	Martin Fischer <martin@push-f.com>	2025-12-25 18:59:14 +0100
committer	Martin Fischer <martin@push-f.com>	2025-12-26 08:03:25 +0100
commit	a36b384657a11acdb267bfefa9bc7719ab6ab4a0 (patch)
tree	875f01397f3b93361221d220facc1d1b6931960c
parent	fe82080cb6b38e3100b08308d48bd78220c9ec3c (diff)