Extend dots.ports module to remaining NixOS hosts

- hetznix02: import shared ports, derive firewall via lib.pipe, wire node-exporter and nginx-exporter port references in monitoring.nix - kiosk-entryway: import shared ports, wire node-exporter port in monitoring.nix - kiosk-gene-desk: import shared ports, make node-exporter port explicit - bigboy, rainbow-planet: import shared ports for consistency Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-31 23:55:20 -04:00 · 2026-05-31 21:13:42 -04:00 · 2026-05-31 21:13:42 -04:00 · d433d77ee1
commit d433d77ee1
parent fb33d4db15
7 changed files with 26 additions and 15 deletions
--- a/modules/hosts/nixos/hetznix02/default.nix
+++ b/modules/hosts/nixos/hetznix02/default.nix
@ -1,5 +1,7 @@
 {
+  config,
  inputs,
+  lib,
  pkgs,
  username,
  ...
@ -7,6 +9,7 @@
 {
  imports = [
    ../../../shared/nixos/nixroutes.nix
+    ../../../shared/nixos/ports.nix
    ./disk-config.nix
    ./hardware-configuration.nix
    ./post-install
@ -33,15 +36,18 @@
  ];

  networking = {
-    # Open ports in the firewall.
-    firewall.allowedTCPPorts = [
-      22 # ssh
-      80 # Nginx
-      443 # Nginx
-    ];
-    # firewall.allowedUDPPorts = [ ... ];
-    # Or disable the firewall altogether.
-    # firewall.enable = false;
+    firewall = {
+      allowedTCPPorts = lib.pipe config.dots.ports [
+        builtins.attrValues
+        (builtins.filter (e: e.openFirewall && e.protocol == "tcp"))
+        (map (e: e.port))
+      ];
+      allowedUDPPorts = lib.pipe config.dots.ports [
+        builtins.attrValues
+        (builtins.filter (e: e.openFirewall && e.protocol == "udp"))
+        (map (e: e.port))
+      ];
+    };

    hostId = "89bbb3e6"; # head -c4 /dev/urandom | od -A none -t x4

--- a/modules/hosts/nixos/hetznix02/post-install/monitoring.nix
+++ b/modules/hosts/nixos/hetznix02/post-install/monitoring.nix
@ -16,7 +16,7 @@ in
          {
            job_name = "node";
            static_configs = [
-              { targets = [ "127.0.0.1:9100" ]; }
+              { targets = [ "127.0.0.1:${toString config.dots.ports.node-exporter.port}" ]; }
            ];
            metric_relabel_configs = [
              {
@ -37,7 +37,7 @@ in
          {
            job_name = "nginx";
            static_configs = [
-              { targets = [ "127.0.0.1:9113" ]; }
+              { targets = [ "127.0.0.1:${toString config.dots.ports.nginx-exporter.port}" ]; }
            ];
            metric_relabel_configs = [
              {
@ -84,7 +84,7 @@ in
    prometheus.exporters.node = {
      enable = true;
      listenAddress = "127.0.0.1";
-      port = 9100;
+      inherit (config.dots.ports.node-exporter) port;
      enabledCollectors = [
        "systemd"
      ];
@ -98,7 +98,7 @@ in
    prometheus.exporters.nginx = {
      enable = true;
      listenAddress = "127.0.0.1";
-      port = 9113;
+      inherit (config.dots.ports.nginx-exporter) port;
      scrapeUri = "https://127.0.0.1/server_status";
      sslVerify = false;
    };