Migrate srv01-hf to pangolin and dockhand

2026-02-08 12:25:48 +01:00 · 2026-02-08 12:25:48 +01:00 · fd6810bd59
commit fd6810bd59
parent e890501a0a
2 changed files with 26 additions and 52 deletions
--- a/flake.nix
+++ b/flake.nix
@ -11,7 +11,7 @@
  };

  inputs = {
-    #nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    home-manager = {
@ -48,7 +48,7 @@
  outputs = {
    self,
    nixpkgs,
-    #nixpkgs-unstable,
+    nixpkgs-unstable,
    nixos-hardware,
    home-manager,
    auto-cpufreq,
@ -81,10 +81,6 @@
        system = "x86_64-linux";

        specialArgs = {
-          #pkgs-unstable = import nixpkgs-unstable {
-          #  inherit system;
-          #  config.allowUnfree = true;
-          #};
 	  inherit inputs outputs username;
        };

@ -142,6 +138,10 @@

        specialArgs = {
          inherit inputs outputs;
+          pkgs-unstable = import nixpkgs-unstable {
+            inherit system;
+            config.allowUnfree = true;
+          };
        };

        modules = [
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@ -17,8 +17,9 @@
      ../../modules/docker.nix
      ../../modules/teleport.nix
      ../../modules/portainer_agent.nix
-      ../../modules/arcane.nix
-      ../../modules/traefik.nix
+      ../../modules/pangolin.nix
+      ../../modules/newt.nix
+      ../../modules/dockhand.nix
      ../../modules/auto-upgrade.nix
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
@ -35,54 +36,27 @@

  virtualisation.oci-containers.containers.portainer_agent.environmentFiles = [ config.age.secrets."portainer-join_token".path ];

-  services.traefik-docker = {
-    enable = true;
-    dashboardUrl = "traefik.juliusfr.eu";
-    dnsSecrets = [
-      config.age.secrets."netcup-dns"
-    ];
-    mTLSCaCertSecret = config.age.secrets."step-ca-crt";
-    oidcAuthProviderUrl = "https://login.juliusfr.eu";
-    oidcClients = {
-      traefik-dashboard = {
-        secret = config.age.secrets."traefik-oidc-auth";
-      };
-      immich = {
-        secret = config.age.secrets."immich-oidc-auth";
-        scopes = [
-          "openid"
-          "email"
-          "profile"
-        ];
-        enableBypassUsingClientCertificate = true;
-      };
-      arcane = {
-        secret = config.age.secrets."arcane-oidc-auth";
-        scopes = [
-          "openid"
-          "email"
-          "profile"
-          "groups"
-        ];
-      };
-      firefly = {
-        secret = config.age.secrets."firefly-oidc-auth";
-        scopes = [
-          "openid"
-          "email"
-        ];
-        useClaimsFromUserInfo = true;
-        headers = [
-          { Name = "FFIII-User"; Value = "{{`{{ .claims.email }}`}}"; }
-        ];
-      };
+  services = {
+    pangolin = {
+      dnsProvider = "netcup";
+      baseDomain = "juliusfr.eu";
+      letsEncryptEmail = "contact@jfreudenberger.de";
+      environmentFile = config.age.secrets."pangolin".path;
+    };
+    traefik = {
+      environmentFiles = [ config.age.secrets."netcup-dns".path ];
    };
  };

-  services.arcane = {
+  services.newt-docker = {
    enable = true;
-    appUrl = "arcane.juliusfr.eu";
-    secretFile = config.age.secrets."arcane-secrets";
+    pangolinEndpoint = "https://pangolin.juliusfr.eu";
+    connectionSecret = config.age.secrets."newt";
+  };
+
+  services.dockhand = {
+    enable = true;
+    appUrl = "dockhand.juliusfr.eu";
  };

  systemd.network = {