Configure monitoring

common/fragments/bin.nix

@@ -1,10 +1,21 @@
-{ ... }: {
+{ config, ... }:
+{
   imports = [ ../../common/services/bin.nix ];
 
   services.bin = {
     enable = true;
-    address = "0.0.0.0";
     port = 6162;
     textUploadLimit = 64;
   };
+
+  services.nginx.virtualHosts."thermalpaste.technogothic.net" = {
+    useACMEHost = "technogothic.net";
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://localhost:6162";
+      proxyWebsockets = true;
+      extraConfig = "client_max_body_size ${toString config.services.bin.textUploadLimit}M;";
+    };
+  };
 }

common/fragments/bittorrent.nix

@@ -1,65 +1,96 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
-  system.fsPackages = with pkgs; [
+  sops.secrets."gluetun.env" = {
-    gocryptfs
+    sopsFile = ../../secrets/gluetun.env;
-    cifs-utils
+    format = "dotenv";
-  ];
+  };
-  systemd.mounts = [
+  virtualisation.oci-containers.containers =
+    let
+      QBITTORRENT_WEBUI_PORT = "8080";
+    in
     {
-      after = [ "network.target" ];
+      "gluetun" = {
-      what = "//library.technogothic.net/backup";
+        image = "qmcgaw/gluetun:latest";
-      where = "/mnt/library-raw";
-      type = "cifs";
-      options = "gid=users,file_mode=0664,dir_mode=0775";
-      mountConfig.EnvironmentFile = "/var/lib/secrets/hetzner-env";
-    }
-    {
-      what = "/mnt/library-raw";
-      where = "/mnt/library";
-      type = "fuse.gocryptfs";
-      options = "allow_other,passfile=/var/lib/secrets/gocryptfs-pass";
-      wantedBy = [ "multi-user.target" ];
-    }
-  ];
-
-  virtualisation.oci-containers.containers = {
-    "qbittorrent" = {
-      image = "dyonr/qbittorrentvpn";
         autoStart = true;
         volumes = [
-        "/var/lib/qbittorrent:/config"
+          "/var/lib/gluetun:/gluetun"
-        "/mnt/library:/downloads"
+          "/etc/localtime:/etc/localtime:ro"
+        ];
+        ports = [
+          "127.0.0.1:${QBITTORRENT_WEBUI_PORT}:8080"
+          "100.64.0.1:${QBITTORRENT_WEBUI_PORT}:8080"
         ];
         environment = {
-        VPN_TYPE = "wireguard";
+          VPN_SERVICE_PROVIDER = "protonvpn";
-        LAN_NETWORK = "10.21.0.0/16,10.42.0.0/24,100.64.0.0/24";
+          VPN_TYPE = "openvpn";
+          VPN_PORT_FORWARDING = "on";
+          SERVER_COUNTRIES = "Germany, Netherlands";
+          PORT_FORWARD_ONLY = "on";
+          VPN_PORT_FORWARDING_UP_COMMAND = "/bin/sh -c '/usr/bin/wget -O- --retry-connrefused --post-data \"json={\\\"listen_port\\\":{{PORTS}}}\" http://localhost:${QBITTORRENT_WEBUI_PORT}/api/v2/app/setPreferences 2>&1'";
         };
-      ports = [ "8080:8080" ];
+        environmentFiles = [ config.sops.secrets."gluetun.env".path ];
         extraOptions = [
           "--cap-add=NET_ADMIN"
           "--device=/dev/net/tun"
-        "--privileged"
+        ];
+      };
+      "qbittorrent" = {
+        image = "lscr.io/linuxserver/qbittorrent:latest";
+        autoStart = true;
+        dependsOn = [ "gluetun" ];
+        volumes = [
+          "/var/lib/qbittorrent:/config"
+          "/mnt/library:/downloads"
+          "/etc/localtime:/etc/localtime:ro"
+        ];
+        environment = {
+          PUID = "1000";
+          PGID = "1000";
+          WEBUI_PORT = QBITTORRENT_WEBUI_PORT;
+        };
+        extraOptions = [
+          "--network=container:gluetun"
+        ];
+      };
+      "qui" = {
+        image = "ghcr.io/autobrr/qui:latest";
+        autoStart = true;
+        dependsOn = [ "qbittorrent" ];
+        volumes = [
+          "/var/lib/qui:/config"
+          "/mnt/library:/data/torrents"
+        ];
+        ports = [
+          "100.64.0.1:7476:7476"
         ];
       };
     };
 
-  # Jellyfin
+  sops.secrets.qbittorrent-pass = { };
-  services.jellyfin = {
+  systemd.services.qbittorrent-prometheus-exporter = {
-    enable = true;
+    wantedBy = [ "multi-user.target" ];
-    openFirewall = true;
+    after = [ "network.target" ];
-  };
+
-  environment.systemPackages = with pkgs; [
+    serviceConfig = {
-    jellyfin
+      Type = "simple";
-    jellyfin-web
+      ExecStart = "${pkgs.prometheus-qbittorrent-exporter}/bin/qbit-exp";
-    jellyfin-ffmpeg
+      Restart = "always";
+
+      Environment = [
+        "EXPORTER_PORT=9006"
+        "QBITTORRENT_USERNAME=Agatha"
+        "QBITTORRENT_PASSWORD_FILE=${config.sops.secrets.qbittorrent-pass.path}"
+        "QBITTORRENT_BASE_URL=http://localhost:8080"
       ];
+    };
+  };
 
   # SMB Share
   services.samba = {
     enable = true;
     openFirewall = true;
     settings.global = {
-      "server string" = "Watchtower";
+      "server string" = "Synchronicity-II";
       "guest account" = "nobody";
       "map to guest" = "bad user";
     };
@@ -70,15 +101,4 @@
       "guest ok" = "yes";
     };
   };
-
-  services.prowlarr = {
-    enable = true;
-    openFirewall = true;
-  };
-
-  services.radarr = {
-    enable = true;
-    openFirewall = true;
-    user = "root";
-  };
 }

common/fragments/grafana.nix

@@ -14,37 +14,13 @@
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ config.services.grafana.settings.server.http_port ];
+  services.nginx.virtualHosts."grafana.technogothic.net" = {
+    useACMEHost = "technogothic.net";
+    forceSSL = true;
 
-  services.prometheus = {
+    locations."/" = {
-    enable = true;
+      proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
-    port = 9001;
+      proxyWebsockets = true;
-    retentionTime = "365d";
+    };
-    scrapeConfigs = [
-      {
-        job_name = "bloodletting";
-        static_configs = [
-          { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }
-        ];
-      }
-      {
-        job_name = "nginx";
-        static_configs = [
-          { targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ]; }
-        ];
-      }
-      {
-        job_name = "telegraf";
-        static_configs = [
-          { targets = [ config.services.telegraf.extraConfig.outputs.prometheus_client.listen ]; }
-        ];
-      }
-      {
-        job_name = "process";
-        static_configs = [
-          { targets = [ "localhost:${toString config.services.prometheus.exporters.process.port}" ]; }
-        ];
-      }
-    ];
   };
 }

common/fragments/graphical/default.nix

@@ -4,21 +4,18 @@
 
   # User packages
   users.users.agatha.packages = with pkgs; [
-    android-tools
-    broot
     colmena
     exiftool
     ffmpeg
+    file
     flac
     hyperfine
     just
     magic-wormhole
-    neofetch
     nil
+    nixd
     pfetch
-    pridefetch
     rink
-    sshfs
     whois
     wireguard-tools
     yt-dlp

common/fragments/headscale.nix

@@ -1,3 +1,4 @@
+{ config, ... }:
 {
   services.headscale = {
     enable = true;
@@ -11,6 +12,17 @@
         ]; # AdGuard Public DNS
         base_domain = "thorns.home.arpa";
       };
+      taildrop.enabled = true;
+    };
+  };
+
+  services.nginx.virtualHosts."hs.technogothic.net" = {
+    useACMEHost = "technogothic.net";
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://localhost:${toString config.services.headscale.port}";
+      proxyWebsockets = true;
     };
   };
 }

common/fragments/media.nix

@@ -0,0 +1,36 @@
+{ pkgs, config, ... }:
+{
+  # Jellyfin
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+  environment.systemPackages = with pkgs; [
+    jellyfin
+    jellyfin-web
+    jellyfin-ffmpeg
+  ];
+
+  services.prowlarr = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  sops.secrets.jellyfin-token = {
+    sopsFile = ../../secrets/jellyfin-exporter.env;
+    format = "dotenv";
+  };
+  virtualisation.oci-containers.containers."jellyfin-prometheus-exporter" = {
+    image = "rebelcore/jellyfin-exporter:latest";
+    autoStart = true;
+    ports = [
+      "127.0.0.1:9007:9594"
+    ];
+    environmentFiles = [ config.sops.secrets.jellyfin-token.path ];
+    entrypoint = "/bin/sh";
+    cmd = [
+      "-c"
+      "/bin/jellyfin_exporter --jellyfin.address=http://100.64.0.6:8096 --jellyfin.token=$JELLYFIN_TOKEN --collector.activity"
+    ];
+  };
+}

common/fragments/prometheus.nix

@@ -1,6 +1,23 @@
+{ config, ... }:
 {
-  # Enable Prometheus exporters
   services.prometheus = {
+    enable = true;
+    port = 9001;
+    retentionTime = "365d";
+    scrapeConfigs =
+      let
+        input = job_name: host: {
+          inherit job_name;
+          static_configs = [
+            { targets = [ host ]; }
+          ];
+        };
+      in
+      [
+        (input "node" "localhost:${toString config.services.prometheus.exporters.node.port}")
+        (input "nginx" "localhost:${toString config.services.prometheus.exporters.nginx.port}")
+        (input "process" "localhost:${toString config.services.prometheus.exporters.process.port}")
+      ];
     exporters = {
       node = {
         enable = true;
@@ -33,18 +50,4 @@
       };
     };
   };
-
-  services.telegraf = {
-    enable = true;
-    extraConfig = {
-      inputs.x509_cert = {
-        sources = [ "https://technogothic.net:443" ];
-        interval = "10m";
-      };
-      outputs.prometheus_client = {
-        listen = "localhost:9004";
-        metric_version = 2;
-      };
-    };
-  };
 }

common/fragments/storage.nix

@@ -0,0 +1,30 @@
+{ pkgs, config, ... }:
+{
+  sops.secrets.gocryptfs-pass = { };
+  sops.secrets."hetzner.env" = {
+    sopsFile = ../../secrets/hetzner.env;
+    format = "dotenv";
+  };
+
+  system.fsPackages = with pkgs; [
+    gocryptfs
+    cifs-utils
+  ];
+  systemd.mounts = [
+    {
+      after = [ "network.target" ];
+      what = "//library.technogothic.net/backup";
+      where = "/mnt/library-raw";
+      type = "cifs";
+      options = "uid=1000,gid=users,file_mode=0664,dir_mode=0775";
+      mountConfig.EnvironmentFile = config.sops.secrets."hetzner.env".path;
+    }
+    {
+      what = "/mnt/library-raw";
+      where = "/mnt/library";
+      type = "fuse.gocryptfs";
+      options = "allow_other,passfile=${config.sops.secrets.gocryptfs-pass.path}";
+      wantedBy = [ "multi-user.target" ];
+    }
+  ];
+}

common/fragments/virt.nix

@@ -23,7 +23,7 @@
       ];
   };
 
-  hardware.opengl.enable = true;
+  hardware.graphics.enable = true;
   virtualisation.spiceUSBRedirection.enable = true;
   services.openssh.settings.X11Forwarding = true;
 

common/home_manager/common.nix

@@ -54,9 +54,38 @@
         };
       };
 
+      jujutsu = {
+        enable = true;
+        settings = {
+          inherit (config.home-manager.users.agatha.programs.git.settings) user;
+          signing = {
+            backend = "ssh";
+            behavior = "own";
+          };
+          ui.default-command = "log";
+          ui.diff-editor = ":builtin";
+          template-aliases = {
+            "format_short_signature(signature)" = "signature.name()";
+          };
+          revset-aliases = {
+            "closest_pushable(to)" =
+              "heads(::to & mutable() & ~description(exact:\"\") & (~empty() | merges()))";
+          };
+          aliases.tug = [
+            "bookmark"
+            "move"
+            "--from"
+            "heads(::@ & bookmarks())"
+            "--to"
+            "closest_pushable(@)"
+          ];
+        };
+      };
+
       delta = {
         enable = true;
         enableGitIntegration = true;
+        enableJujutsuIntegration = true;
         options = {
           blame-format = "{timestamp:<15} {author:<18.18} {commit:<8}";
           file-modified-label = "modified:";

common/services/bin.nix

@@ -1,9 +1,16 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 with lib;
 
-let cfg = config.services.bin;
+let
-in {
+  cfg = config.services.bin;
+in
+{
   options = {
     services.bin = {
       enable = mkEnableOption "Pastebin";
@@ -54,11 +61,10 @@ in {
 
       serviceConfig = {
         Type = "simple";
-        Environment =
+        Environment = ''BIN_LIMITS={form="${toString cfg.textUploadLimit} MiB"}'';
-          ''BIN_LIMITS={form="${toString cfg.textUploadLimit} MiB"}'';
+        ExecStart = "${
-        ExecStart = "${pkgs.bin}/bin/bin -a ${toString cfg.address} -b ${
+          pkgs.callPackage ../../common/pkgs/bin.nix { }
-            toString cfg.binaryUploadLimit
+        }/bin/bin -a ${toString cfg.address} -b ${toString cfg.binaryUploadLimit} -p ${toString cfg.port} -u ${toString cfg.upload}";
-          } -p ${toString cfg.port} -u ${toString cfg.upload}";
         WorkingDirectory = "/var/lib/bin_rs";
         Restart = "always";
       };

hosts/bloodletting/configuration.nix

@@ -7,12 +7,9 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ../../common/fragments/bin.nix
     ../../common
     ../../common/linux-specific.nix
     ../../common/fragments/fail2ban.nix
-    ../../common/fragments/grafana.nix
-    ../../common/fragments/headscale.nix
     ../../common/fragments/hedgedoc.nix
     ../../common/fragments/mastodon-ebooks.nix
     ../../common/fragments/mastodon.nix
@@ -22,7 +19,7 @@
     ../../common/fragments/minecraft.nix
     ../../common/fragments/nyandroid.nix
     ../../common/fragments/postgres.nix
-    ../../common/fragments/prometheus_exporters.nix
+    ../../common/fragments/prometheus.nix
     ../../common/fragments/prosody.nix
     ../../common/fragments/sops.nix
     ../../common/fragments/vsftpd.nix
@@ -31,7 +28,6 @@
 
   nixpkgs.overlays = [
     (final: prev: {
-      bin = final.callPackage ../../common/pkgs/bin.nix { };
       agatha-mastodon = final.callPackage ../../common/pkgs/mastodon/default.nix { };
     })
   ];
@@ -185,27 +181,6 @@
       globalRedirect = "technogothic.net";
     };
 
-    virtualHosts."grafana.technogothic.net" = {
-      useACMEHost = "technogothic.net";
-      forceSSL = true;
-
-      locations."/" = {
-        proxyPass = "http://localhost:2342";
-        proxyWebsockets = true;
-      };
-    };
-
-    virtualHosts."thermalpaste.technogothic.net" = {
-      useACMEHost = "technogothic.net";
-      forceSSL = true;
-
-      locations."/" = {
-        proxyPass = "http://localhost:6162";
-        proxyWebsockets = true;
-        extraConfig = "client_max_body_size ${toString config.services.bin.textUploadLimit}M;";
-      };
-    };
-
     virtualHosts."ftp.technogothic.net" = {
       useACMEHost = "technogothic.net";
       forceSSL = true;
@@ -261,16 +236,6 @@
       };
     };
 
-    virtualHosts."hs.technogothic.net" = {
-      useACMEHost = "technogothic.net";
-      forceSSL = true;
-
-      locations."/" = {
-        proxyPass = "http://localhost:${toString config.services.headscale.port}";
-        proxyWebsockets = true;
-      };
-    };
-
     virtualHosts."jellyfin.technogothic.net" = {
       useACMEHost = "technogothic.net";
       forceSSL = true;

hosts/penrose/configuration.nix

@@ -6,8 +6,9 @@
 
   nixpkgs.hostPlatform = "aarch64-darwin";
 
-  home-manager.users.agatha.programs = {
+  home-manager.users.agatha.programs = rec {
     git.signing.key = "/Users/agatha/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/4286cbdb09fc1738081e8f7996a0b984.pub";
+    jujutsu.settings.signing.key = git.signing.key;
   };
 
   system.stateVersion = 6;

hosts/sierpinski/configuration.nix

@@ -6,8 +6,9 @@
 
   nixpkgs.hostPlatform = "aarch64-darwin";
 
-  home-manager.users.agatha.programs = {
+  home-manager.users.agatha.programs = rec {
     git.signing.key = "/Users/agatha/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/0082ebb800203877650324946262cf51.pub";
+    jujutsu.settings.signing.key = git.signing.key;
   };
 
   system.stateVersion = 6;

hosts/synchronicity/configuration.nix

@@ -6,14 +6,20 @@
   imports = [
     ./hardware-configuration.nix
     ./networking.nix
+    ./monitoring.nix
     ../../common
     ../../common/linux-specific.nix
+    ../../common/fragments/bin.nix
+    ../../common/fragments/bittorrent.nix
+    ../../common/fragments/grafana.nix
     ../../common/fragments/headscale.nix
+    ../../common/fragments/prometheus.nix
     ../../common/fragments/sops.nix
+    ../../common/fragments/storage.nix
     ../../common/home_manager/common.nix
   ];
 
-  networking.hostName = "synchronicity";
+  networking.hostName = "synchronicity-ii";
 
   # Enable networking
   networking.networkmanager.enable = true;
@@ -51,8 +57,9 @@
   security.acme.defaults.email = "letsencrypt@technogothic.net";
 
   security.acme.certs."technogothic.net" = {
-    domain = "hs.technogothic.net";
+    domain = "*.technogothic.net";
     extraDomainNames = [
+      "technogothic.net"
     ];
     dnsProvider = "hurricane";
     credentialsFile = config.sops.secrets.hurricane-tokens.path;
@@ -75,16 +82,6 @@
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
-
-    virtualHosts."hs.technogothic.net" = {
-      useACMEHost = "technogothic.net";
-      forceSSL = true;
-
-      locations."/" = {
-        proxyPass = "http://localhost:${toString config.services.headscale.port}";
-        proxyWebsockets = true;
-      };
-    };
   };
 
   # This value determines the NixOS release from which the default
@@ -93,5 +90,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "25.05"; # Did you read the comment?
+  system.stateVersion = "25.11"; # Did you read the comment?
 }

hosts/synchronicity/hardware-configuration.nix

@@ -6,9 +6,20 @@
     efiInstallAsRemovable = true;
     device = "nodev";
   };
-  fileSystems."/boot" = { device = "/dev/disk/by-uuid/F5B8-26D6"; fsType = "vfat"; };
+  fileSystems."/boot" = {
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+    device = "/dev/disk/by-uuid/7A0A-7539";
+    fsType = "vfat";
+  };
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "xen_blkfront"
+    "vmw_pvscsi"
+  ];
   boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+  fileSystems."/" = {
+    device = "/dev/sda1";
+    fsType = "ext4";
+  };
 
 }

hosts/synchronicity/monitoring.nix

@@ -0,0 +1,30 @@
+{ config, ... }:
+{
+  services.prometheus.scrapeConfigs =
+    let
+      input = job_name: host: {
+        inherit job_name;
+        static_configs = [
+          { targets = [ host ]; }
+        ];
+      };
+    in
+    [
+      (input "telegraf" "localhost${config.services.telegraf.extraConfig.outputs.prometheus_client.listen}")
+      (input "qbittorrent" "localhost:9006")
+    ];
+
+  services.telegraf = {
+    enable = true;
+    extraConfig = {
+      inputs.x509_cert = {
+        sources = [ "https://technogothic.net:443" ];
+        interval = "10m";
+      };
+      outputs.prometheus_client = {
+        listen = ":9004";
+        metric_version = 2;
+      };
+    };
+  };
+}

hosts/synchronicity/networking.nix

@@ -1,8 +1,10 @@
-{ lib, ... }: {
+{ lib, ... }:
+{
   # This file was populated at runtime with the networking
   # details gathered from the active system.
   networking = {
-    nameservers = [ "8.8.8.8"
+    nameservers = [
+      "8.8.8.8"
     ];
     defaultGateway = "172.31.1.1";
     defaultGateway6 = {
@@ -14,20 +16,39 @@
     interfaces = {
       eth0 = {
         ipv4.addresses = [
-          { address="157.180.21.190"; prefixLength=32; }
+          {
+            address = "77.42.21.227";
+            prefixLength = 32;
+          }
         ];
         ipv6.addresses = [
-          { address="2a01:4f9:c013:cf97::1"; prefixLength=64; }
+          {
-{ address="fe80::9000:6ff:fe46:85f6"; prefixLength=64; }
+            address = "2a01:4f9:c012:5901::1";
+            prefixLength = 64;
+          }
+          {
+            address = "fe80::9000:7ff:fe07:64f5";
+            prefixLength = 64;
+          }
+        ];
+        ipv4.routes = [
+          {
+            address = "172.31.1.1";
+            prefixLength = 32;
+          }
+        ];
+        ipv6.routes = [
+          {
+            address = "fe80::1";
+            prefixLength = 128;
+          }
         ];
-        ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
-        ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
       };
 
     };
   };
   services.udev.extraRules = ''
-    ATTR{address}=="92:00:06:46:85:f6", NAME="eth0"
+    ATTR{address}=="92:00:07:07:64:f5", NAME="eth0"
 
   '';
 }

hosts/tears/hardware-configuration.nix

@@ -1,21 +1,31 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
 
 {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules =
+  boot.initrd.availableKernelModules = [
-    [ "thunderbolt" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+    "thunderbolt"
+    "xhci_pci"
+    "ahci"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
   boot.initrd.systemd = {
     enable = true;
-    emergencyAccess =
+    emergencyAccess = "$2b$05$eOIXFST5/9G6vAFIZDLGfuJV7CV1B26YmRMAFRstyRHwvBNFSN6Im";
-      "$2b$05$eOIXFST5/9G6vAFIZDLGfuJV7CV1B26YmRMAFRstyRHwvBNFSN6Im";
   };
 
   boot.supportedFilesystems = [ "ntfs" ];
@@ -42,10 +52,12 @@
     fsType = "btrfs";
   };
 
-  swapDevices = [{
+  swapDevices = [
+    {
       device = "/var/lib/swapfile";
       size = 8 * 1024;
-  }];
+    }
+  ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -57,11 +69,10 @@
   # networking.interfaces.wlp7s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode =
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
 
-  hardware.opengl = {
+  hardware.graphics = {
     enable = true;
-    driSupport32Bit = true;
+    enable32Bit = true;
   };
 }

hosts/watchtower/configuration.nix

@@ -1,11 +1,14 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ../../common/fragments/bittorrent.nix
+    ./monitoring.nix
     ../../common
     ../../common/fragments/home-assistant.nix
+    ../../common/fragments/media.nix
+    ../../common/fragments/prometheus.nix
     ../../common/fragments/sops.nix
     ../../common/fragments/sponsorblock.nix
+    ../../common/fragments/storage.nix
     ../../common/home_manager/common.nix
     ../../common/linux-specific.nix
   ];

hosts/watchtower/monitoring.nix

@@ -0,0 +1,14 @@
+{
+  services.prometheus.scrapeConfigs =
+    let
+      input = job_name: host: {
+        inherit job_name;
+        static_configs = [
+          { targets = [ host ]; }
+        ];
+      };
+    in
+    [
+      (input "jellyfin" "localhost:9007")
+    ];
+}