Update flake.lock

Add portainer_agent module and configure srv01-hf for it
Configure teleport on srv01-hf
2025-09-18 01:12:18 +02:00 · 2025-09-18 01:11:57 +02:00 · 2025-09-18 01:11:06 +02:00 · 2025-09-18 01:07:36 +02:00 · 2025-09-17 23:51:27 +02:00 · 2025-09-17 00:05:36 +02:00
8 changed files with 192 additions and 21 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,28 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": [],
        "home-manager": "home-manager",
        "nixpkgs": [
          "nixpkgs"
        ],
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1754433428,
        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "auto-cpufreq": {
      "inputs": {
        "nixpkgs": [
@ -7,11 +30,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1752998173,
+        "lastModified": 1758056808,
-        "narHash": "sha256-ZlYpBp2WOe03UrpjJGz5KTOL/pp7A452hJO/Vc8C4/0=",
+        "narHash": "sha256-7I4duKo9OdQ7sldgjoYBlpZ+xykszDj/IVz5hlJOaeg=",
        "owner": "AdnanHodzic",
        "repo": "auto-cpufreq",
-        "rev": "562278377ffa96f3c1af49c7b499df028ce8d8bd",
+        "rev": "9f86acc38dca4299b70ea55ae6c52902da5c903c",
        "type": "github"
      },
      "original": {
@ -27,11 +50,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753140376,
+        "lastModified": 1757508292,
-        "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
+        "narHash": "sha256-7lVWL5bC6xBIMWWDal41LlGAG+9u2zUorqo3QCUL4p4=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
+        "rev": "146f45bee02b8bd88812cfce6ffc0f933788875a",
        "type": "github"
      },
      "original": {
@ -96,15 +119,36 @@
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1753592768,
+        "lastModified": 1745494811,
-        "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "fc3add429f21450359369af74c2375cb34a2d204",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1757808926,
        "narHash": "sha256-K6PEI5PYY94TVMH0mX3MbZNYFme7oNRKml/85BpRRAo=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "f21d9167782c086a33ad53e2311854a8f13c281e",
        "type": "github"
      },
      "original": {
@ -137,11 +181,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1754564048,
+        "lastModified": 1757943327,
-        "narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=",
+        "narHash": "sha256-w6cDExPBqbq7fTLo4dZ1ozDGeq3yV6dSN4n/sAaS6OM=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113",
+        "rev": "67a709cfe5d0643dafd798b0b613ed579de8be05",
        "type": "github"
      },
      "original": {
@ -153,11 +197,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1754767907,
+        "lastModified": 1758070117,
-        "narHash": "sha256-8OnUzRQZkqtUol9vuUuQC30hzpMreKptNyET2T9lB6g=",
+        "narHash": "sha256-uLwwHFCZnT1c3N3biVe/0hCkag2GSrf9+M56+Okf+WY=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "c5f08b62ed75415439d48152c2a784e36909b1bc",
+        "rev": "e9b7f2ff62b35f711568b1f0866243c7c302028d",
        "type": "github"
      },
      "original": {
@ -260,14 +304,32 @@
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "auto-cpufreq": "auto-cpufreq",
        "disko": "disko",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
        "lazy-apps": "lazy-apps",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
        "proxmox-nixos": "proxmox-nixos",
-        "systems": "systems_2"
+        "secrets": "secrets",
        "systems": "systems_3"
      }
    },
    "secrets": {
      "flake": false,
      "locked": {
        "lastModified": 1758149260,
        "narHash": "sha256-Pgw5Krmc27t+7On6fwHJWx0nuoLRu0XqwN5MHaZ5kys=",
        "ref": "refs/heads/main",
        "rev": "50fd7d5277505cbb3235aae9719d3b8b0c7fe692",
        "revCount": 5,
        "type": "git",
        "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
      },
      "original": {
        "type": "git",
        "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
      }
    },
    "systems": {
@ -286,6 +348,21 @@
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1689347949,
        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@ -302,7 +379,7 @@
    },
    "utils": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1710146030,
--- a/flake.nix
+++ b/flake.nix
@ -22,7 +22,17 @@
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-
+    agenix = {
      url = "github:ryantm/agenix";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        darwin.follows = "";
      };
    };
    secrets = {
      url = "git+ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git";
      flake = false;
    };
    systems.url = "github:nix-systems/default-linux";
  };
@ -34,6 +44,7 @@
    home-manager,
    auto-cpufreq,
    proxmox-nixos,
    agenix,
    disko,
    systems,
    ...
@ -126,6 +137,7 @@
        modules = [
          disko.nixosModules.disko
          agenix.nixosModules.default
          ./hosts/srv01.hf
        ];
      };
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@ -4,8 +4,10 @@
  imports =
    [
      ../../modules/disko/efi-full-btrfs.nix
      ./secrets.nix
      ../../users/julius/nixos-server.nix
      ../../users/nixremote.nix
      ../../modules/nix.nix
      ../../modules/network-server.nix
      ../../modules/locale.nix
@ -13,11 +15,24 @@
      ../../modules/sshd.nix
      ../../modules/qemu-guest.nix
      ../../modules/docker.nix
      ../../modules/teleport.nix
      ../../modules/portainer_agent.nix
      ../../modules/auto-upgrade.nix
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];
  services.openssh.openFirewall = false;
  services.teleport = {
    enable = true;
    settings.teleport = {
      ca_pin = config.age.secrets."teleport-ca_pin".path;
      auth_token = config.age.secrets."teleport-join_token".path;
    };
  };
  virtualisation.oci-containers.containers.portainer_agent.environmentFiles = [ config.age.secrets."portainer-join_token".path ];
  systemd.network = {
    enable = true;
      networks."10-wan" = {
--- a/hosts/srv01.hf/secrets.nix
+++ b/hosts/srv01.hf/secrets.nix
@ -0,0 +1,8 @@
 { inputs, ... }:
 {
  age.secrets = {
    teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin";
    teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token";
    portainer-join_token.file = "${inputs.secrets}/secrets/srv01-hf/portainer_join_token";
  };
 }
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@ -1,5 +1,6 @@
 {
  inputs,
  pkgs,
  ...
 }: {
  system.autoUpgrade = {
@ -11,5 +12,26 @@
    flake = inputs.self.outPath;
    dates = "02:00";
    randomizedDelaySec = "45min";
    allowReboot = true;
    rebootWindow = {
      lower = "01:00";
      upper = "05:00";
    };
  };
  # Also needs access to the nix-private repo which contains the encrypted secrets
  programs.ssh = {
    extraConfig = "
      Host git.jfreudenberger.de
        Port 222
        User git
        IdentityFile /etc/ssh/ssh_host_ed25519_key
    ";
    knownHostsFiles = [
      (pkgs.writeText "forgejo.keys" ''[git.jfreudenberger.de]:222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+uqIeb9+AoqwD0Z6xLKI2dsRoS9Qh/VwboYfGpBJd+
 [git.jfreudenberger.de]:222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8GDSt4LsCzOoIZkqZRLgXyTLyHoJu62cFFP88i8GpSadyV6mJPkK5p2mgBzN/BM9I/G2VWfvqdM8Fy/7p3S8kDhmmkOk1AK7C/+qaQKsKcQauJuzNXlwMHG1Ivath80TO9PIQc9jYakP9xl8SACd5bwkvfEm3rS5awZ8T2hWgnsgO8pFHFOFmFnVbujXZk58FVTCxpgyPqjFv76JSYxpHk1VtiQ52jScsreOImEOWWg88f9IM9etWcshuxte4zudaqc2KjjAB6pYMuVj7O6cwMXKjCUxTzyomWjr2JoEruIslifbZ6bJGgswg5ENJSKURuMPgTuGM6Nrjp75V/yFD
 [git.jfreudenberger.de]:222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOS447cAWRZgHPs6MOoRS6/J66oY753QPiM7BI63/qNDd5qrCan153dJd5lBGwDR0vMWiV/0cmzuACfP5QS1Lv8=
    '')
    ];
  };
 }
--- a/modules/docker.nix
+++ b/modules/docker.nix
@ -4,8 +4,11 @@
  ...
 }: {
-  virtualisation.docker = {
+  virtualisation = {
    docker = {
      enable = true;
    };
    oci-containers.backend = "docker";
  };
 }
--- a/modules/portainer_agent.nix
+++ b/modules/portainer_agent.nix
@ -0,0 +1,21 @@
 {
  ...
 }: {
  virtualisation.oci-containers.containers = {
    portainer_agent = {
      image = "portainer/agent:2.33.1";
      volumes = [
        "/var/run/docker.sock:/var/run/docker.sock"
        "/var/lib/docker/volumes:/var/lib/docker/volumes"
        "/:/host"
      ];
      environment = {
        EDGE = "1";
        CAP_HOST_MANAGEMENT = "1";
      };
      extraOptions = [
        ''--mount=type=volume,source=portainer_agent,target=/data,volume-driver=local''
      ];
    };
  };
 }
--- a/users/nixremote.nix
+++ b/users/nixremote.nix
@ -0,0 +1,13 @@
 {
  ...
 }: {
  users.users = {
    nixremote = {
      isNormalUser = true;
      uid = 1100;
      group = "users";
    };
  };
  nix.settings.trusted-users = [ "nixremote" ];
 }
Author	SHA1	Message	Date
JuliusFreudenberger	0b336f6058	Update flake.lock	2025-09-18 01:12:18 +02:00
JuliusFreudenberger	cfc8f986b7	Add portainer_agent module and configure srv01-hf for it	2025-09-18 01:11:57 +02:00
JuliusFreudenberger	fadfd47e3f	Configure teleport on srv01-hf	2025-09-18 01:11:06 +02:00
JuliusFreudenberger	abf81609e4	Add ssh connection settings to nix-private repo for auto-upgrade	2025-09-18 01:07:36 +02:00
JuliusFreudenberger	eee7d2ddcf	Add secret management with agenix	2025-09-17 23:51:27 +02:00
JuliusFreudenberger	739b50349c	Set oci-backend to docker This can be used to start containers declaratively. Use docker when it is enabled for this.	2025-09-17 00:05:36 +02:00
JuliusFreudenberger	3c17de5929	Make nixremote trusted and not expire	2025-09-17 00:04:01 +02:00
JuliusFreudenberger	aa4d1f11c9	Add rebootWindow for auto upgrades	2025-09-17 00:03:34 +02:00
JuliusFreudenberger	ea01c0abf3	Add nixremote user for remote building	2025-08-25 09:49:00 +02:00