From e890501a0a2107aaa4478e2ceb26e69144b5e7d6 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Sun, 8 Feb 2026 12:25:30 +0100
Subject: [PATCH] Add dockhand module

---
 hosts/srv01.hf/secrets.nix |  8 ++-----
 modules/dockhand.nix       | 46 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 6 deletions(-)
 create mode 100644 modules/dockhand.nix

diff --git a/hosts/srv01.hf/secrets.nix b/hosts/srv01.hf/secrets.nix
index 3289c1c..a328f24 100644
--- a/hosts/srv01.hf/secrets.nix
+++ b/hosts/srv01.hf/secrets.nix
@@ -5,11 +5,7 @@
     teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token";
     portainer-join_token.file = "${inputs.secrets}/secrets/srv01-hf/portainer_join_token";
     netcup-dns.file = "${inputs.secrets}/secrets/dns-management/netcup";
-    traefik-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/traefik-oidc-auth";
-    immich-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/immich-oidc-auth";
-    arcane-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/arcane-oidc-auth";
-    arcane-secrets.file = "${inputs.secrets}/secrets/srv01-hf/arcane-secrets";
-    firefly-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/firefly-oidc-auth";
-    step-ca-crt.file = "${inputs.secrets}/secrets/step-ca/step-ca-crt";
+    pangolin.file = "${inputs.secrets}/secrets/srv01-hf/pangolin";
+    newt.file = "${inputs.secrets}/secrets/srv01-hf/newt";
   };
 }
diff --git a/modules/dockhand.nix b/modules/dockhand.nix
new file mode 100644
index 0000000..7eeaf8e
--- /dev/null
+++ b/modules/dockhand.nix
@@ -0,0 +1,46 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.dockhand;
+in {
+  options.services.dockhand = {
+    enable = lib.mkEnableOption "dockhand, a powerful, intuitive Docker platform";
+    appUrl = lib.mkOption {
+      description = "External URL dockhand will be reachable from, without protocol";
+      type = lib.types.str;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.oci-containers.containers = {
+      dockhand = {
+        image = "fnsys/dockhand:v1.0.12";
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock"
+        ];
+        environment = {
+          PUID = "1000";
+          PGID = "1000";
+        };
+        networks = [
+          "pangolin"
+        ];
+        labels = {
+          "pangolin.public-resources.dockhand.name" = "dockhand";
+          "pangolin.public-resources.dockhand.full-domain" = cfg.appUrl;
+          "pangolin.public-resources.dockhand.protocol" = "http";
+          "pangolin.public-resources.dockhand.auth.sso-enabled" = "true";
+          "pangolin.public-resources.dockhand.auth.auto-login-idp" = "1";
+          "pangolin.public-resources.dockhand.targets[0].method" = "http";
+        };
+        extraOptions = [
+          ''--mount=type=volume,source=dockhand-data,target=/app/data,volume-driver=local''
+          ''--group-add=131'' # docker group
+        ];
+      };
+    };
+  };
+}