Monitoring primarily

hosts/pi-main/default.nix

@@ -92,6 +92,14 @@
   homey.caddy.enable      = true;
   homey.cloudflared.enable = true;
 
+  # CI/CD
+  homey.giteaRunner.enable = true;
+
+  # Monitoring stack
+  homey.uptimeKuma.enable  = true;
+  homey.ntfy.enable        = true;
+  homey.monitoring.enable  = true;
+
   # Backups
   homey.backup.enable     = true;
   # Where to send restic backups — set to your backup destination:
@@ -113,6 +121,55 @@
     rebootTime  = "360s";
   };
 
+  # Disable WiFi power save — the brcmfmac driver on RPi4 lets the chip sleep,
+  # causing it to miss packets and drop the connection under low traffic.
+  # Run once when the wlan0 interface appears (and on every re-plug/reconnect).
+  systemd.services.wifi-disable-power-save = {
+    description = "Disable WiFi power management on wlan0";
+    wantedBy    = [ "multi-user.target" ];
+    after       = [ "sys-subsystem-net-devices-wlan0.device" ];
+    bindsTo     = [ "sys-subsystem-net-devices-wlan0.device" ];
+    serviceConfig = {
+      Type            = "oneshot";
+      RemainAfterExit = true;
+      ExecStart       = "${pkgs.iw}/bin/iw dev wlan0 set power_save off";
+    };
+  };
+
+  # Network watchdog — if the LAN gateway becomes unreachable, restart
+  # wpa_supplicant to force a fresh association.  If the link is still
+  # dead 30 s later, reboot so the hardware watchdog doesn't have to.
+  # Runs every 2 min starting 5 min after boot.
+  systemd.services.network-watchdog = {
+    description = "Network connectivity watchdog";
+    after       = [ "network-online.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pkgs.writeShellScript "network-watchdog" ''
+        gateway="192.168.1.1"
+        if ! ${pkgs.iputils}/bin/ping -c 3 -W 10 "$gateway" > /dev/null 2>&1; then
+          echo "Gateway $gateway unreachable — restarting wpa_supplicant"
+          systemctl restart wpa_supplicant.service
+          sleep 30
+          if ! ${pkgs.iputils}/bin/ping -c 3 -W 10 "$gateway" > /dev/null 2>&1; then
+            echo "Still unreachable after wpa_supplicant restart — rebooting"
+            systemctl reboot
+          fi
+        fi
+      '';
+    };
+  };
+
+  systemd.timers.network-watchdog = {
+    description = "Periodic network connectivity check";
+    wantedBy    = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec       = "5min";
+      OnUnitActiveSec = "2min";
+      Persistent      = true;
+    };
+  };
+
   # Compressed in-RAM swap via zstd.  Pages evicted from RAM are compressed
   # (~3:1 ratio) and stored in a 25% RAM region (~2 GB) rather than written
   # to disk.  Gives the OOM killer breathing room under PHP upload spikes.