From cfc8f986b7e9a6680039358f03789f35395e5e22 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 18 Sep 2025 01:11:57 +0200
Subject: [PATCH] Add portainer_agent module and configure srv01-hf for it

---
 hosts/srv01.hf/default.nix  |  3 +++
 hosts/srv01.hf/secrets.nix  |  1 +
 modules/portainer_agent.nix | 21 +++++++++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 modules/portainer_agent.nix

diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix
index f8a2c5b..feb2183 100644
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@@ -16,6 +16,7 @@
       ../../modules/qemu-guest.nix
       ../../modules/docker.nix
       ../../modules/teleport.nix
+      ../../modules/portainer_agent.nix
       ../../modules/auto-upgrade.nix
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
@@ -30,6 +31,8 @@
     };
   };
 
+  virtualisation.oci-containers.containers.portainer_agent.environmentFiles = [ config.age.secrets."portainer-join_token".path ];
+
   systemd.network = {
     enable = true;
       networks."10-wan" = {
diff --git a/hosts/srv01.hf/secrets.nix b/hosts/srv01.hf/secrets.nix
index 9b8fb86..8697e77 100644
--- a/hosts/srv01.hf/secrets.nix
+++ b/hosts/srv01.hf/secrets.nix
@@ -3,5 +3,6 @@
   age.secrets = {
     teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin";
     teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token";
+    portainer-join_token.file = "${inputs.secrets}/secrets/srv01-hf/portainer_join_token";
   };
 }
diff --git a/modules/portainer_agent.nix b/modules/portainer_agent.nix
new file mode 100644
index 0000000..8bebd6c
--- /dev/null
+++ b/modules/portainer_agent.nix
@@ -0,0 +1,21 @@
+{
+  ...
+}: {
+  virtualisation.oci-containers.containers = {
+    portainer_agent = {
+      image = "portainer/agent:2.33.1";
+      volumes = [
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/var/lib/docker/volumes:/var/lib/docker/volumes"
+        "/:/host"
+      ];
+      environment = {
+        EDGE = "1";
+        CAP_HOST_MANAGEMENT = "1";
+      };
+      extraOptions = [
+        ''--mount=type=volume,source=portainer_agent,target=/data,volume-driver=local''
+      ];
+    };
+  };
+}