feat: better prometheus integration

machines/calcite/configuration.nix

@@ -208,7 +208,6 @@
     element-desktop
     tdesktop
     qq
-    feishu
 
     # Password manager
     bitwarden
@@ -265,6 +264,11 @@
   custom.forgejo-actions-runner.enable = true;
   custom.forgejo-actions-runner.tokenFile = config.sops.secrets.gitea_env.path;
 
+  custom.prometheus = {
+    enable = true;
+    exporters.enable = true;
+  };
+
   # MTP support
   services.gvfs.enable = true;
 

machines/dolomite/default.nix

@@ -14,6 +14,12 @@ in
   config = {
     isBandwagon = builtins.elem config.networking.hostName bwgHosts;
     isLightsail = builtins.elem config.networking.hostName awsHosts;
+
+    commonSettings = {
+      auth.enable = true;
+      nix.enable = true;
+    };
+
     sops = {
       secrets = {
         wg_private_key = {
@@ -43,6 +49,8 @@ in
     networking.firewall.allowedTCPPorts = [ 80 8080 ];
     networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
 
+    services.tailscale.enable = true;
+
     custom.prometheus = {
       enable = false;
       exporters.enable = false;
@@ -52,33 +60,6 @@ in
       };
     };
 
-    custom.kanidm-client = {
-      enable = true;
-      uri = "https://auth.xinyang.life/";
-      asSSHAuth = {
-        enable = true;
-        allowedGroups = [ "linux_users" ];
-      };
-      sudoers = [ "xin@auth.xinyang.life" ];
-    };
-
-    services.openssh = {
-      settings = {
-        PasswordAuthentication = false;
-        KbdInteractiveAuthentication = false;
-        PermitRootLogin = lib.mkForce "no";
-        GSSAPIAuthentication = "no";
-        KerberosAuthentication = "no";
-      };
-    };
-    services.fail2ban.enable = true;
-    programs.mosh.enable = true;
-
-    security.sudo = {
-      execWheelOnly = true;
-      wheelNeedsPassword = false;
-    };
-
     services.sing-box = let
       singTls = {
         enabled = true;

machines/massicot/default.nix

@@ -7,6 +7,11 @@
     ./networking.nix
     ./services.nix
   ];
+
+  commonSettings = {
+    auth.enable = true;
+    nix.enable = true;
+  };
   
   sops = {
     defaultSopsFile = ./secrets.yaml;
@@ -52,34 +57,6 @@
   networking = {
     hostName = "massicot";
   };
-
-  custom.kanidm-client = {
-    enable = true;
-    uri = "https://auth.xinyang.life/";
-    asSSHAuth = {
-      enable = true;
-      allowedGroups = [ "linux_users" ];
-    };
-    sudoers = [ "xin@auth.xinyang.life" ];
-  };
-
-  security.sudo = {
-      execWheelOnly = true;
-      wheelNeedsPassword = false;
-    };
-
-  services.openssh = {
-    enable = true;
-    settings = {
-      PasswordAuthentication = false;
-      KbdInteractiveAuthentication = false;
-      PermitRootLogin = "no";
-      GSSAPIAuthentication = "no";
-      KerberosAuthentication = "no";
-    };
-  };
-  services.fail2ban.enable = true;
-  programs.mosh.enable = true;
   
   systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
 }

modules/nixos/prometheus.nix

@@ -103,7 +103,7 @@ in
               name = "ntfy";
               webhook_configs = [
                 {
-                  url = "${config.services.ntfy-sh.settings.base-url}/prometheus-alerts";
+                  url = "https://ntfy.xinyang.life/prometheus-alerts";
                   send_resolved = true;
                 }
               ];