From aabaa70595e9b81be5543572d1e0ea52422ca852 Mon Sep 17 00:00:00 2001
From: Renovate Bot <renovate@jfreudenberger.de>
Date: Thu, 18 Jun 2026 01:36:26 +0200
Subject: [PATCH 1/8] Add renovate.json

---
 renovate.json | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 renovate.json

diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..7190a60
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}

From 8ae895ac2958d38312000ede440f8be16a7e56a5 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 18 Jun 2026 01:39:16 +0200
Subject: [PATCH 2/8] Add nix support to renovate.json

---
 renovate.json | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/renovate.json b/renovate.json
index 7190a60..f2665a9 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,3 +1,6 @@
 {
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "nix": {
+    "enabled": true
+  }
 }

From ddfe28de8dd85c995853da9b24944ed707fe5cef Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 18 Jun 2026 01:48:44 +0200
Subject: [PATCH 3/8] Add custom manager for oci image references

Found at https://gist.github.com/itz-Jana/2627b87f47a0141dd98636276bd2a1f6
---
 renovate.json | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/renovate.json b/renovate.json
index f2665a9..96e8cad 100644
--- a/renovate.json
+++ b/renovate.json
@@ -2,5 +2,17 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "nix": {
     "enabled": true
-  }
+  },
+  "customManagers": [
+    {
+      "customType": "regex",
+      "datasourceTemplate": "docker",
+      "fileMatch": [
+        ".+\\.nix$"
+      ],
+      "matchStrings": [
+        "\\s+image\\s+=\\s+\"(?<depName>.*?):(?<currentValue>.*?)\""
+      ]
+    }
+  ]
 }

From fdbc96135eb566eb65bef4b2a519d027857923c9 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 18 Jun 2026 02:06:56 +0200
Subject: [PATCH 4/8] Add digest to oci image matcher

---
 renovate.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/renovate.json b/renovate.json
index 96e8cad..c290d62 100644
--- a/renovate.json
+++ b/renovate.json
@@ -11,7 +11,7 @@
         ".+\\.nix$"
       ],
       "matchStrings": [
-        "\\s+image\\s+=\\s+\"(?<depName>.*?):(?<currentValue>.*?)\""
+        "\\s+image\\s+=\\s+\"(?<depName>.*?):(?<currentValue>.*?)(@(?<digest>sha256:[a-z0-9]{64}))?\""
       ]
     }
   ]

From 7d3ce606ca9a760d50589b68b1f24684fe17e5cb Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 18 Jun 2026 02:29:34 +0200
Subject: [PATCH 5/8] Inline oci image versions and add image digests

---
 modules/beszel-hub.nix     | 3 +--
 modules/dockhand.nix       | 2 +-
 modules/hawser.nix         | 2 +-
 modules/netbird-client.nix | 4 +---
 modules/netbird-docker.nix | 9 +++------
 modules/pocket-id.nix      | 3 +--
 modules/traefik-oidc.nix   | 2 +-
 modules/traefik.nix        | 3 +--
 8 files changed, 10 insertions(+), 18 deletions(-)

diff --git a/modules/beszel-hub.nix b/modules/beszel-hub.nix
index 7b2376a..7ea1024 100644
--- a/modules/beszel-hub.nix
+++ b/modules/beszel-hub.nix
@@ -6,7 +6,6 @@
 let
 
   cfg = config.services.beszel-docker;
-  version = "0.18.7";
 
 in {
 
@@ -21,7 +20,7 @@ in {
   config = lib.mkIf cfg.enable {
     virtualisation.oci-containers.containers = {
       beszel = {
-        image = "henrygd/beszel:${version}";
+        image = "henrygd/beszel:0.18.7@sha256:a849ad80814b6a1a3be665304dcace5d4854b3bed7bde4dd1227e8ce1b82d477";
         autoStart = true;
         networks = [
           "traefik"
diff --git a/modules/dockhand.nix b/modules/dockhand.nix
index 0d7fabe..82c541b 100644
--- a/modules/dockhand.nix
+++ b/modules/dockhand.nix
@@ -17,7 +17,7 @@ in {
   config = lib.mkIf cfg.enable {
     virtualisation.oci-containers.containers = {
       dockhand = {
-        image = "fnsys/dockhand:v1.0.32";
+        image = "fnsys/dockhand:v1.0.32@sha256:cda754fc7ccb4acd0ecc37cc37b9cf0d2b933bf19de89d47957b26ecf109a543";
         volumes = [
           "/var/run/docker.sock:/var/run/docker.sock"
         ];
diff --git a/modules/hawser.nix b/modules/hawser.nix
index 5d48686..e304abe 100644
--- a/modules/hawser.nix
+++ b/modules/hawser.nix
@@ -27,7 +27,7 @@ in {
   config = lib.mkIf cfg.enable {
     virtualisation.oci-containers.containers = {
       hawser = {
-        image = "ghcr.io/finsys/hawser:0.2.42";
+        image = "ghcr.io/finsys/hawser:0.2.42@sha256:79f926e8d8fe31c0dfe90858f90b69bfd4cfbb113472605620b91a4b444dd557";
         volumes = [
           "/var/run/docker.sock:/var/run/docker.sock"
         ];
diff --git a/modules/netbird-client.nix b/modules/netbird-client.nix
index 200984f..7651800 100644
--- a/modules/netbird-client.nix
+++ b/modules/netbird-client.nix
@@ -9,8 +9,6 @@ let
 
   cfg = config.services.netbird-client;
 
-  clientVersion = "0.72.4";
-
   clientConfiguration = lib.types.submodule {
     options = {
       setupKey = lib.mkOption {
@@ -64,7 +62,7 @@ in {
 
     virtualisation.oci-containers.containers = lib.mkIf (cfg.docker.setupKey != null) {
       netbird = {
-        image = "netbirdio/netbird:${clientVersion}-rootless";
+        image = "netbirdio/netbird:0.72.4-rootless@sha256:d42136aabccb82c5237d2ee73febde237e13e850727bcb6bbf5b3c8717ece142";
         autoStart = true;
         hostname = "${config.networking.hostName}-docker";
         networks = [
diff --git a/modules/netbird-docker.nix b/modules/netbird-docker.nix
index a8faeb3..8d137f2 100644
--- a/modules/netbird-docker.nix
+++ b/modules/netbird-docker.nix
@@ -10,9 +10,6 @@ let
   cfg = config.services.netbird-docker;
   netbirdCfg = config.services.netbird;
 
-  serverVersion = "0.72.4";
-  dashboardVersion = "2.39.0";
-
 in {
 
   options.services.netbird-docker = {
@@ -60,7 +57,7 @@ in {
     services.netbird.useRoutingFeatures = lib.mkDefault "server";
     virtualisation.oci-containers.containers = {
       netbird-dashboard = {
-        image = "netbirdio/dashboard:v${dashboardVersion}";
+        image = "netbirdio/dashboard:v2.39.0";
         autoStart = true;
         networks = [
           "traefik"
@@ -94,7 +91,7 @@ in {
         ];
       };
       netbird-server = {
-        image = "netbirdio/netbird-server:${serverVersion}";
+        image = "netbirdio/netbird-server:0.72.4@sha256:9ab98a37002517204010ee88a0c7f5e76b1fe6e2a736043db60efb7a02fbded3";
         autoStart = true;
         networks = [
           "traefik"
@@ -172,7 +169,7 @@ in {
         ];
       };
       netbird-proxy = {
-        image = "netbirdio/reverse-proxy:${serverVersion}";
+        image = "netbirdio/reverse-proxy:0.72.4@sha256:3104d5ca3a76ac224d268b9cc1d2f983eaf6fefbbb1cc78c3dbecd07f9d2a7e0";
         autoStart = true;
         ports = [
           "51820:51820/udp"
diff --git a/modules/pocket-id.nix b/modules/pocket-id.nix
index fd311c1..b183d4b 100644
--- a/modules/pocket-id.nix
+++ b/modules/pocket-id.nix
@@ -7,7 +7,6 @@ let
 
   cfg = config.services.pocket-id-docker;
   pocketidCfg = config.services.pocket-id;
-  version = "2.8.0";
 
 in {
 
@@ -18,7 +17,7 @@ in {
   config = lib.mkIf cfg.enable {
     virtualisation.oci-containers.containers = {
       pocket-id = {
-        image = "ghcr.io/pocket-id/pocket-id:v${version}";
+        image = "ghcr.io/pocket-id/pocket-id:v2.8.0@sha256:a073640418b2cfc8587c488a7270580b3ab95cae2c543f5d64bbbe1fd7ccbae8";
         autoStart = true;
         networks = [
           "traefik"
diff --git a/modules/traefik-oidc.nix b/modules/traefik-oidc.nix
index c1bff3f..aa3f80c 100644
--- a/modules/traefik-oidc.nix
+++ b/modules/traefik-oidc.nix
@@ -105,7 +105,7 @@ in {
   config = lib.mkIf cfg.enable {
     virtualisation.oci-containers.containers = {
       traefik = {
-        image = "traefik:v3.6.6";
+        image = "traefik:v3.7.5@sha256:d6858791f9e74df44ca4014166647c41cdc2abd3bf2a71b832ca4e1c6a91b257";
         cmd = [
           "--providers.docker=true"
           "--providers.docker.exposedByDefault=false"
diff --git a/modules/traefik.nix b/modules/traefik.nix
index 7e8e19c..1709d0b 100644
--- a/modules/traefik.nix
+++ b/modules/traefik.nix
@@ -7,7 +7,6 @@
 let
 
   cfg = config.services.traefik-docker;
-  version = "3.7.5";
 
 in {
 
@@ -30,7 +29,7 @@ in {
   config = lib.mkIf cfg.enable {
     virtualisation.oci-containers.containers = {
       traefik = {
-        image = "traefik:v${version}";
+        image = "traefik:v3.7.5@sha256:d6858791f9e74df44ca4014166647c41cdc2abd3bf2a71b832ca4e1c6a91b257";
         cmd = [
           "--providers.docker=true"
           "--providers.docker.endpoint=http://docker-socket-proxy:2375"

From 6f7f13d7ff48e651eecc8fe05833e87c37dc845a Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 18 Jun 2026 02:30:33 +0200
Subject: [PATCH 6/8] Remove unused oci container modules

---
 modules/arcane.nix          | 64 ---------------------------------
 modules/newt.nix            | 72 -------------------------------------
 modules/pangolin.nix        | 53 ---------------------------
 modules/portainer_agent.nix | 21 -----------
 4 files changed, 210 deletions(-)
 delete mode 100644 modules/arcane.nix
 delete mode 100644 modules/newt.nix
 delete mode 100644 modules/pangolin.nix
 delete mode 100644 modules/portainer_agent.nix

diff --git a/modules/arcane.nix b/modules/arcane.nix
deleted file mode 100644
index 160088f..0000000
--- a/modules/arcane.nix
+++ /dev/null
@@ -1,64 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  cfg = config.services.arcane;
-in {
-  options.services.arcane = {
-    enable = lib.mkEnableOption "arcane, a modern Docker management UI";
-    appUrl = lib.mkOption {
-      description = "External URL arcane will be reachable from, without protocol";
-      type = lib.types.str;
-    };
-    secretFile = lib.mkOption {
-      description = ''
-        Agenix secret containing the following needed environment variables in dotenv notation:
-          - ENCRYPTION_KEY
-          - JWT_SECRET
-          - OIDC_CLIENT_ID
-          - OIDC_CLIENT_SECRET
-          - OIDC_ISSUER_URL
-          - OIDC_ADMIN_CLAIM
-          - OIDC_ADMIN_VALUE
-      '';
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    virtualisation.oci-containers.containers = {
-      arcane = {
-        image = "ghcr.io/getarcaneapp/arcane:v1.11.2";
-        volumes = [
-          "/var/run/docker.sock:/var/run/docker.sock"
-        ];
-        environment = {
-          APP_URL = "https://${cfg.appUrl}";
-          PUID = "1000";
-          PGID = "1000";
-          LOG_LEVEL = "info";
-          LOG_JSON = "false";
-          OIDC_ENABLED = "true";
-          OIDC_SCOPES = "openid email profile groups";
-          DATABASE_URL = "file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate";
-        };
-        environmentFiles = [
-          cfg.secretFile.path
-        ];
-        networks = [
-          "traefik"
-        ];
-        labels = {
-          "traefik.enable" = "true";
-          "traefik.http.routers.arcane.middlewares" = "arcane-oidc-auth@file";
-          "traefik.http.routers.arcane.rule" = "Host(`${cfg.appUrl}`)";
-          "traefik.http.services.arcane.loadbalancer.server.port" = "3552";
-        };
-        extraOptions = [
-          ''--mount=type=volume,source=arcane-data,target=/app/data,volume-driver=local''
-        ];
-      };
-    };
-  };
-}
diff --git a/modules/newt.nix b/modules/newt.nix
deleted file mode 100644
index 5f7a8f4..0000000
--- a/modules/newt.nix
+++ /dev/null
@@ -1,72 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-let
-
-  cfg = config.services.newt-docker;
-
-in {
-
-  options.services.newt-docker = {
-    enable = lib.mkEnableOption "Newt, user space tunnel client for Pangolin";
-    pangolinEndpoint = lib.mkOption {
-      description = "External URL of the Pangolin instance";
-      type = lib.types.str;
-    };
-    connectionSecret = lib.mkOption {
-      description = "Secrets for Pangolin authentication.";
-      type = lib.types.anything;
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    virtualisation.oci-containers.containers = {
-      newt = {
-        image = "fosrl/newt:1.9.0";
-        autoStart = true;
-        networks = [
-          "pangolin"
-        ];
-        environment = {
-          PANGOLIN_ENDPOINT = cfg.pangolinEndpoint;
-          DOCKER_SOCKET = "/var/run/docker.sock";
-        };
-        environmentFiles = [ cfg.connectionSecret.path ];
-        volumes = [
-          "/var/run/docker.sock:/var/run/docker.sock:ro"
-        ];
-        extraOptions = [
-          "--add-host=host.docker.internal:host-gateway"
-        ];
-      };
-    };
-
-    systemd.services."docker-newt" = {
-      after = [
-        "docker-network-newt.service"
-      ];
-      requires = [
-        "docker-network-newt.service"
-      ];
-    };
-
-    systemd.services."docker-network-newt" = {
-      path = [ pkgs.docker ];
-      serviceConfig = {
-        Type = "oneshot";
-      };
-      script = ''
-        docker network inspect pangolin || docker network create pangolin --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1
-      '';
-    };
-
-    networking.firewall.extraCommands = ''
-      iptables -A INPUT -p icmp --source 100.89.128.0/24 -j ACCEPT
-      iptables -A INPUT -p tcp --source 172.18.0.0/12 --dport 22 -j ACCEPT
-    '';
-
-  };
-}
diff --git a/modules/pangolin.nix b/modules/pangolin.nix
deleted file mode 100644
index 55e5fed..0000000
--- a/modules/pangolin.nix
+++ /dev/null
@@ -1,53 +0,0 @@
-{
-  pkgs-unstable,
-  utils,
-  config,
-  lib,
-  ...
-}: {
-
-  services = {
-    pangolin = {
-      enable = true;
-      package = pkgs-unstable.fosrl-pangolin;
-      openFirewall = true;
-      settings = {
-        app = {
-          save_logs = true;
-          log_failed_attempts = true;
-        };
-        domains = {
-          domain1 = {
-            prefer_wildcard_cert = true;
-          };
-        };
-        flags = {
-          disable_signup_without_invite = true;
-          disable_user_create_org = true;
-        };
-      };
-    };
-  };
-
-  systemd.services.gerbil.serviceConfig.ExecStart = lib.mkForce (utils.escapeSystemdExecArgs [
-    (lib.getExe pkgs-unstable.fosrl-gerbil)
-    "--reachableAt=http://localhost:${toString config.services.gerbil.port}"
-    "--generateAndSaveKeyTo=${toString config.services.pangolin.dataDir}/config/key"
-    "--remoteConfig=http://localhost:3001/api/v1/gerbil/get-config"
-  ]);
-
-}
-
-# Settings needed on the host
-#
-#  services = {
-#    pangolin = {
-#      dnsProvider = "";
-#      baseDomain = "";
-#      letsEncryptEmail = "";
-#      environmentFile = config.age.secrets."".path;
-#    };
-#    traefik = {
-#      environmentFiles = [ config.age.secrets."".path ];
-#    };
-#  };
diff --git a/modules/portainer_agent.nix b/modules/portainer_agent.nix
deleted file mode 100644
index 408834b..0000000
--- a/modules/portainer_agent.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{
-  ...
-}: {
-  virtualisation.oci-containers.containers = {
-    portainer_agent = {
-      image = "portainer/agent:2.33.2";
-      volumes = [
-        "/var/run/docker.sock:/var/run/docker.sock"
-        "/var/lib/docker/volumes:/var/lib/docker/volumes"
-        "/:/host"
-      ];
-      environment = {
-        EDGE = "1";
-        CAP_HOST_MANAGEMENT = "1";
-      };
-      extraOptions = [
-        ''--mount=type=volume,source=portainer_agent,target=/data,volume-driver=local''
-      ];
-    };
-  };
-}

From 31fe3ff223ccf1bd018bba3b66176460f56fafcb Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 18 Jun 2026 02:36:10 +0200
Subject: [PATCH 7/8] Do not impose hourly PR limit

New systems are not built on branches, so no CI can be overwhelmed.
---
 renovate.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/renovate.json b/renovate.json
index c290d62..e25b3b1 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,5 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "prHourlyLimit": 0,
   "nix": {
     "enabled": true
   },

From 2f4e529738a364cca95d8f13899517e8eb906eb7 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 18 Jun 2026 02:41:51 +0200
Subject: [PATCH 8/8] Run renovate on a schedule and enable autodiscover

---
 hosts/busch-nixos-native/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hosts/busch-nixos-native/default.nix b/hosts/busch-nixos-native/default.nix
index e33ed9c..d3b5dec 100644
--- a/hosts/busch-nixos-native/default.nix
+++ b/hosts/busch-nixos-native/default.nix
@@ -46,11 +46,13 @@
 
   services.renovate = {
     enable = true;
+    schedule = "*:0/10";
     credentials = {
       RENOVATE_TOKEN = config.age.secrets.renovate-token.path;
       RENOVATE_GITHUB_COM_TOKEN = config.age.secrets.renovate-github-com-token.path;
     };
     settings = {
+      autodiscover = true;
       gitAuthor = "Renovate Bot <renovate@jfreudenberger.de>";
       platform = "forgejo";
       endpoint = "https://git.jfreudenberger.de";