Test traefik, arcane and immich on vServer

2026-01-04 22:22:53 +01:00 · 2026-01-04 22:22:53 +01:00 · 5115744f46
commit 5115744f46
parent cb0408abd4
2 changed files with 47 additions and 0 deletions
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@ -17,6 +17,8 @@
      ../../modules/docker.nix
      ../../modules/teleport.nix
      ../../modules/portainer_agent.nix
      ../../modules/arcane.nix
      ../../modules/traefik.nix
      ../../modules/auto-upgrade.nix
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
@ -33,6 +35,45 @@
  virtualisation.oci-containers.containers.portainer_agent.environmentFiles = [ config.age.secrets."portainer-join_token".path ];
  services.traefik-docker = {
    enable = true;
    dashboardUrl = "traefik.juliusfr.eu";
    dnsSecrets = [
      config.age.secrets."netcup-dns"
    ];
    mTLSCaCertSecret = config.age.secrets."step-ca-crt";
    oidcAuthProviderUrl = "https://login.juliusfr.eu";
    oidcClients = {
      traefik-dashboard = {
        secret = config.age.secrets."traefik-oidc-auth";
      };
      immich = {
        secret = config.age.secrets."immich-oidc-auth";
        scopes = [
          "openid"
          "email"
          "profile"
        ];
        enableBypassUsingClientCertificate = true;
      };
      arcane = {
        secret = config.age.secrets."arcane-oidc-auth";
        scopes = [
          "openid"
          "email"
          "profile"
          "groups"
        ];
      };
    };
  };
  services.arcane = {
    enable = true;
    appUrl = "arcane.juliusfr.eu";
    secretFile = config.age.secrets."arcane-secrets";
  };
  systemd.network = {
    enable = true;
      networks."10-wan" = {
--- a/hosts/srv01.hf/secrets.nix
+++ b/hosts/srv01.hf/secrets.nix
@ -4,5 +4,11 @@
    teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin";
    teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token";
    portainer-join_token.file = "${inputs.secrets}/secrets/srv01-hf/portainer_join_token";
    netcup-dns.file = "${inputs.secrets}/secrets/dns-management/netcup";
    traefik-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/traefik-oidc-auth";
    immich-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/immich-oidc-auth";
    arcane-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/arcane-oidc-auth";
    arcane-secrets.file = "${inputs.secrets}/secrets/srv01-hf/arcane-secrets";
    step-ca-crt.file = "${inputs.secrets}/secrets/step-ca/step-ca-crt";
  };
 }