From 7d3ce606ca9a760d50589b68b1f24684fe17e5cb Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Thu, 18 Jun 2026 02:29:34 +0200 Subject: [PATCH] Inline oci image versions and add image digests --- modules/beszel-hub.nix | 3 +-- modules/dockhand.nix | 2 +- modules/hawser.nix | 2 +- modules/netbird-client.nix | 4 +--- modules/netbird-docker.nix | 9 +++------ modules/pocket-id.nix | 3 +-- modules/traefik-oidc.nix | 2 +- modules/traefik.nix | 3 +-- 8 files changed, 10 insertions(+), 18 deletions(-) diff --git a/modules/beszel-hub.nix b/modules/beszel-hub.nix index 7b2376a..7ea1024 100644 --- a/modules/beszel-hub.nix +++ b/modules/beszel-hub.nix @@ -6,7 +6,6 @@ let cfg = config.services.beszel-docker; - version = "0.18.7"; in { @@ -21,7 +20,7 @@ in { config = lib.mkIf cfg.enable { virtualisation.oci-containers.containers = { beszel = { - image = "henrygd/beszel:${version}"; + image = "henrygd/beszel:0.18.7@sha256:a849ad80814b6a1a3be665304dcace5d4854b3bed7bde4dd1227e8ce1b82d477"; autoStart = true; networks = [ "traefik" diff --git a/modules/dockhand.nix b/modules/dockhand.nix index 0d7fabe..82c541b 100644 --- a/modules/dockhand.nix +++ b/modules/dockhand.nix @@ -17,7 +17,7 @@ in { config = lib.mkIf cfg.enable { virtualisation.oci-containers.containers = { dockhand = { - image = "fnsys/dockhand:v1.0.32"; + image = "fnsys/dockhand:v1.0.32@sha256:cda754fc7ccb4acd0ecc37cc37b9cf0d2b933bf19de89d47957b26ecf109a543"; volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ]; diff --git a/modules/hawser.nix b/modules/hawser.nix index 5d48686..e304abe 100644 --- a/modules/hawser.nix +++ b/modules/hawser.nix @@ -27,7 +27,7 @@ in { config = lib.mkIf cfg.enable { virtualisation.oci-containers.containers = { hawser = { - image = "ghcr.io/finsys/hawser:0.2.42"; + image = "ghcr.io/finsys/hawser:0.2.42@sha256:79f926e8d8fe31c0dfe90858f90b69bfd4cfbb113472605620b91a4b444dd557"; volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ]; diff --git a/modules/netbird-client.nix b/modules/netbird-client.nix index 200984f..7651800 100644 --- a/modules/netbird-client.nix +++ b/modules/netbird-client.nix @@ -9,8 +9,6 @@ let cfg = config.services.netbird-client; - clientVersion = "0.72.4"; - clientConfiguration = lib.types.submodule { options = { setupKey = lib.mkOption { @@ -64,7 +62,7 @@ in { virtualisation.oci-containers.containers = lib.mkIf (cfg.docker.setupKey != null) { netbird = { - image = "netbirdio/netbird:${clientVersion}-rootless"; + image = "netbirdio/netbird:0.72.4-rootless@sha256:d42136aabccb82c5237d2ee73febde237e13e850727bcb6bbf5b3c8717ece142"; autoStart = true; hostname = "${config.networking.hostName}-docker"; networks = [ diff --git a/modules/netbird-docker.nix b/modules/netbird-docker.nix index a8faeb3..8d137f2 100644 --- a/modules/netbird-docker.nix +++ b/modules/netbird-docker.nix @@ -10,9 +10,6 @@ let cfg = config.services.netbird-docker; netbirdCfg = config.services.netbird; - serverVersion = "0.72.4"; - dashboardVersion = "2.39.0"; - in { options.services.netbird-docker = { @@ -60,7 +57,7 @@ in { services.netbird.useRoutingFeatures = lib.mkDefault "server"; virtualisation.oci-containers.containers = { netbird-dashboard = { - image = "netbirdio/dashboard:v${dashboardVersion}"; + image = "netbirdio/dashboard:v2.39.0"; autoStart = true; networks = [ "traefik" @@ -94,7 +91,7 @@ in { ]; }; netbird-server = { - image = "netbirdio/netbird-server:${serverVersion}"; + image = "netbirdio/netbird-server:0.72.4@sha256:9ab98a37002517204010ee88a0c7f5e76b1fe6e2a736043db60efb7a02fbded3"; autoStart = true; networks = [ "traefik" @@ -172,7 +169,7 @@ in { ]; }; netbird-proxy = { - image = "netbirdio/reverse-proxy:${serverVersion}"; + image = "netbirdio/reverse-proxy:0.72.4@sha256:3104d5ca3a76ac224d268b9cc1d2f983eaf6fefbbb1cc78c3dbecd07f9d2a7e0"; autoStart = true; ports = [ "51820:51820/udp" diff --git a/modules/pocket-id.nix b/modules/pocket-id.nix index fd311c1..b183d4b 100644 --- a/modules/pocket-id.nix +++ b/modules/pocket-id.nix @@ -7,7 +7,6 @@ let cfg = config.services.pocket-id-docker; pocketidCfg = config.services.pocket-id; - version = "2.8.0"; in { @@ -18,7 +17,7 @@ in { config = lib.mkIf cfg.enable { virtualisation.oci-containers.containers = { pocket-id = { - image = "ghcr.io/pocket-id/pocket-id:v${version}"; + image = "ghcr.io/pocket-id/pocket-id:v2.8.0@sha256:a073640418b2cfc8587c488a7270580b3ab95cae2c543f5d64bbbe1fd7ccbae8"; autoStart = true; networks = [ "traefik" diff --git a/modules/traefik-oidc.nix b/modules/traefik-oidc.nix index c1bff3f..aa3f80c 100644 --- a/modules/traefik-oidc.nix +++ b/modules/traefik-oidc.nix @@ -105,7 +105,7 @@ in { config = lib.mkIf cfg.enable { virtualisation.oci-containers.containers = { traefik = { - image = "traefik:v3.6.6"; + image = "traefik:v3.7.5@sha256:d6858791f9e74df44ca4014166647c41cdc2abd3bf2a71b832ca4e1c6a91b257"; cmd = [ "--providers.docker=true" "--providers.docker.exposedByDefault=false" diff --git a/modules/traefik.nix b/modules/traefik.nix index 7e8e19c..1709d0b 100644 --- a/modules/traefik.nix +++ b/modules/traefik.nix @@ -7,7 +7,6 @@ let cfg = config.services.traefik-docker; - version = "3.7.5"; in { @@ -30,7 +29,7 @@ in { config = lib.mkIf cfg.enable { virtualisation.oci-containers.containers = { traefik = { - image = "traefik:v${version}"; + image = "traefik:v3.7.5@sha256:d6858791f9e74df44ca4014166647c41cdc2abd3bf2a71b832ca4e1c6a91b257"; cmd = [ "--providers.docker=true" "--providers.docker.endpoint=http://docker-socket-proxy:2375"