diff --git a/flake.lock b/flake.lock index 3486c25..e7ad6de 100644 --- a/flake.lock +++ b/flake.lock @@ -50,11 +50,11 @@ ] }, "locked": { - "lastModified": 1777713215, - "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=", + "lastModified": 1776613567, + "narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=", "owner": "nix-community", "repo": "disko", - "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267", + "rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d", "type": "github" }, "original": { @@ -144,11 +144,11 @@ ] }, "locked": { - "lastModified": 1777771528, - "narHash": "sha256-YycygK6n7KeW1YCobdFJcORWzkmrvNcp6xT+IovA0d4=", + "lastModified": 1775425411, + "narHash": "sha256-KY6HsebJHEe5nHOWP7ur09mb0drGxYSzE3rQxy62rJo=", "owner": "nix-community", "repo": "home-manager", - "rev": "0585fbf645640973e3398863bbaf3bd1ddce4a51", + "rev": "0d02ec1d0a05f88ef9e74b516842900c41f0f2fe", "type": "github" }, "original": { @@ -181,11 +181,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1777796046, - "narHash": "sha256-bEJp/zaQApzynGRaAO62BZSz9tFikKtIHCn2yIA/s7Q=", + "lastModified": 1776983936, + "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "eeb02f6e29fc8139c0b15af5ff0fdfdc6d0d3d90", + "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61", "type": "github" }, "original": { @@ -197,11 +197,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1777673416, - "narHash": "sha256-5c2POKPOjU40Kh0MirOdScBLG0bu9TAuPYAtPRNZMBs=", + "lastModified": 1776734388, + "narHash": "sha256-vl3dkhlE5gzsItuHoEMVe+DlonsK+0836LIRDnm6MXQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "26ef669cffa904b6f6832ab57b77892a37c1a671", + "rev": "10e7ad5bbcb421fe07e3a4ad53a634b0cd57ffac", "type": "github" }, "original": { @@ -261,11 +261,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1777578337, - "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=", + "lastModified": 1776877367, + "narHash": "sha256-EHq1/OX139R1RvBzOJ0aMRT3xnWyqtHBRUBuO1gFzjI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "15f4ee454b1dce334612fa6843b3e05cf546efab", + "rev": "0726a0ecb6d4e08f6adced58726b95db924cef57", "type": "github" }, "original": { @@ -307,11 +307,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1777731636, - "narHash": "sha256-OkFcWIKnrl0n5ULcFnzmLjdfD7Z8IHtYLge3e7EuARs=", + "lastModified": 1775228763, + "narHash": "sha256-8fKOEOouCaPZLBTdWPS+uU0bxsPp1OmfloDNoNSiu8w=", "owner": "SaumonNet", "repo": "proxmox-nixos", - "rev": "22b690085bfb2b82cbbc8e9d637a67c9c704b6db", + "rev": "e803cb839e5e5207fa37d92bc6ac7290f4dba633", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 0937102..d3bb15e 100644 --- a/flake.nix +++ b/flake.nix @@ -143,9 +143,6 @@ specialArgs = { inherit inputs outputs; - pkgs-unstable = import nixpkgs-unstable { - inherit system; - }; }; modules = [ @@ -180,6 +177,7 @@ inherit inputs outputs; pkgs-unstable = import nixpkgs-unstable { inherit system; + config.allowUnfree = true; }; }; diff --git a/hosts/busch-main-docker/default.nix b/hosts/busch-main-docker/default.nix index 21d1cc9..42b93a4 100644 --- a/hosts/busch-main-docker/default.nix +++ b/hosts/busch-main-docker/default.nix @@ -1,4 +1,4 @@ -{ inputs, outputs, config, lib, pkgs, pkgs-unstable, ... }: +{ inputs, outputs, config, lib, pkgs, ... }: { imports = @@ -12,7 +12,6 @@ ../../modules/server-cli.nix ../../modules/sshd.nix ../../modules/docker.nix - ../../modules/netbird-client.nix "${inputs.secrets}/modules/opkssh.nix" # Include the results of the hardware scan. @@ -27,13 +26,6 @@ }; networking.hostName = "docker-main"; # Define your hostname. - services.netbird-client = { - enable = true; - managementUrl = "https://netbird.jfreudenberger.de"; - host.setupKey = "DB64713B-FB23-49F1-A4A7-9B9E37B585D4"; - docker.setupKey = "B9ECD884-B445-4156-8643-D0F34D64C200"; - }; - # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # Most users should NEVER change this value after the initial install, for any reason, diff --git a/hosts/srv03/default.nix b/hosts/srv03/default.nix index 78f2cfc..1cc29bf 100644 --- a/hosts/srv03/default.nix +++ b/hosts/srv03/default.nix @@ -1,4 +1,4 @@ -{ inputs, outputs, config, lib, pkgs, pkgs-unstable, ... }: +{ inputs, outputs, config, lib, pkgs, ... }: { imports = @@ -17,8 +17,6 @@ ../../modules/traefik.nix ../../modules/pocket-id.nix ../../modules/netbird-docker.nix - ../../modules/netbird-client.nix - ../../modules/dockhand.nix ../../modules/auto-upgrade.nix "${inputs.secrets}/modules/opkssh.nix" # Include the results of the hardware scan. @@ -46,11 +44,6 @@ environmentFile = config.age.secrets.pocket-id.path; }; - dockhand = { - enable = true; - appUrl = "dockhand.jfreudenberger.de"; - }; - netbird-docker = { enable = true; secrets = config.age.secrets.netbird-server; @@ -66,16 +59,10 @@ management.domain = domain; dashboard.domain = domain; signal.domain = domain; + management.oidcConfigEndpoint = "https://login.jfreudenberger.de/.well-known/openid-configuration"; }; }; - services.netbird-client = { - enable = true; - managementUrl = "https://netbird.jfreudenberger.de"; - host.setupKey = "B57B7B1D-AFBF-4D73-91F5-014A0D8645A4"; - docker.setupKey = "F49C8243-DB76-4C8C-9136-25498D72B494"; - }; - systemd.network = { enable = true; networks."10-wan" = { diff --git a/modules/dockhand.nix b/modules/dockhand.nix index ad30426..5f43cda 100644 --- a/modules/dockhand.nix +++ b/modules/dockhand.nix @@ -17,7 +17,7 @@ in { config = lib.mkIf cfg.enable { virtualisation.oci-containers.containers = { dockhand = { - image = "fnsys/dockhand:v1.0.27"; + image = "fnsys/dockhand:v1.0.12"; volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ]; @@ -26,8 +26,16 @@ in { PGID = "1000"; }; networks = [ - "webproxy" + "pangolin" ]; + labels = { + "pangolin.public-resources.dockhand.name" = "dockhand"; + "pangolin.public-resources.dockhand.full-domain" = cfg.appUrl; + "pangolin.public-resources.dockhand.protocol" = "http"; + "pangolin.public-resources.dockhand.auth.sso-enabled" = "true"; + "pangolin.public-resources.dockhand.auth.auto-login-idp" = "1"; + "pangolin.public-resources.dockhand.targets[0].method" = "http"; + }; extraOptions = [ ''--mount=type=volume,source=dockhand-data,target=/app/data,volume-driver=local'' ''--group-add=${toString config.ids.gids.docker}'' diff --git a/modules/gui-coding.nix b/modules/gui-coding.nix index 225d602..223f2b6 100644 --- a/modules/gui-coding.nix +++ b/modules/gui-coding.nix @@ -11,21 +11,6 @@ zed-editor.fhs k6 - - (pkgs.lazy-app.override { - pkg = pkgs.dbeaver-bin; - desktopItem = pkgs.makeDesktopItem { - name = "DBeaver"; - exec = "env NO_AT_BRIDGE=1 dbeaver %U"; - icon = "dbeaver"; - desktopName = "DBeaver"; - comment = "SQL Integrated Development Environment"; - categories = [ "IDE" "Development" ]; - mimeTypes = [ - "application/sql" - ]; - }; - }) ]; } diff --git a/modules/netbird-client.nix b/modules/netbird-client.nix deleted file mode 100644 index e2b04db..0000000 --- a/modules/netbird-client.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ - pkgs, - pkgs-unstable, - utils, - config, - lib, - ... -}: -let - - cfg = config.services.netbird-client; - - clientVersion = "0.69.0"; - - clientConfiguration = lib.types.submodule { - options = { - setupKey = lib.mkOption { - description = "Setup Key for this client"; - type = lib.types.str; - }; - }; - }; - -in { - - options.services.netbird-client = { - enable = lib.mkEnableOption "Netbird client, with possiblities for host connection and for docker based connection."; - managementUrl = lib.mkOption { - description = "Management URL of netbird server."; - type = lib.types.str; - }; - host = lib.mkOption { - description = "Configuration for host connection"; - type = clientConfiguration; - }; - docker = lib.mkOption { - description = "Configuration for docker connection"; - type = clientConfiguration; - }; - }; - - config = lib.mkIf cfg.enable { - services.netbird = { - package = pkgs-unstable.netbird; - useRoutingFeatures = "both"; - clients.wt0 = { - hardened = false; - login = { - enable = true; - setupKeyFile = (pkgs.writeText "setupKey" cfg.host.setupKey).outPath; - }; - port = 51820; - environment = { - NB_MANAGEMENT_URL = cfg.managementUrl; - }; - }; - }; - systemd.services.${config.services.netbird.clients.wt0.service.name}.path = [ pkgs.shadow ]; - - virtualisation.oci-containers.containers = { - netbird = { - image = "netbirdio/netbird:${clientVersion}-rootless"; - autoStart = true; - hostname = "${config.networking.hostName}-docker"; - networks = [ - "webproxy" - ]; - environment = { - NB_MANAGEMENT_URL = cfg.managementUrl; - PEER_NAME = "${config.networking.hostName}-docker"; - NB_SETUP_KEY = cfg.docker.setupKey; - }; - extraOptions = [ - ''--mount=type=volume,source=netbird_client_data,target=/var/lib/netbird,volume-driver=local'' - ]; - }; - }; - - systemd.services."docker-netbird" = { - after = [ - "docker-network-webproxy.service" - ]; - requires = [ - "docker-network-webproxy.service" - ]; - }; - - - systemd.services."docker-network-webproxy" = { - path = [ pkgs.docker ]; - serviceConfig = { - Type = "oneshot"; - }; - script = '' - docker network inspect webproxy || docker network create webproxy --ipv4 --ipv6 --subnet=172.20.0.0/16 --gateway=172.20.0.1 - ''; - }; - }; -} diff --git a/modules/netbird-docker.nix b/modules/netbird-docker.nix index a71f2ed..076fdaf 100644 --- a/modules/netbird-docker.nix +++ b/modules/netbird-docker.nix @@ -54,7 +54,7 @@ in { image = "netbirdio/dashboard:v${dashboardVersion}"; autoStart = true; networks = [ - "traefik" + "webproxy" ]; environment = { NETBIRD_MGMT_API_ENDPOINT = "https://${netbirdCfg.server.management.domain}"; @@ -88,7 +88,7 @@ in { image = "netbirdio/netbird-server:${serverVersion}"; autoStart = true; networks = [ - "traefik" + "webproxy" ]; entrypoint = "/bin/sh"; cmd = [ @@ -169,7 +169,7 @@ in { "51820:51820/udp" ]; networks = [ - "traefik" + "webproxy" ]; dependsOn = [ "netbird-server" diff --git a/modules/pocket-id.nix b/modules/pocket-id.nix index ff62097..48ac9cb 100644 --- a/modules/pocket-id.nix +++ b/modules/pocket-id.nix @@ -21,13 +21,12 @@ in { image = "ghcr.io/pocket-id/pocket-id:v${version}"; autoStart = true; networks = [ - "traefik" + "webproxy" ]; environment = { APP_URL = pocketidCfg.settings.APP_URL; TRUST_PROXY = lib.boolToString pocketidCfg.settings.TRUST_PROXY; ANALYTICS_DISABLED = lib.boolToString pocketidCfg.settings.ANALYTICS_DISABLED; - GEOLITE_DB_URL = "https://pkgs.netbird.io/geolocation-dbs/GeoLite2-City/download?suffix=tar.gz"; }; environmentFiles = [ pocketidCfg.environmentFile ]; extraOptions = [ diff --git a/modules/traefik.nix b/modules/traefik.nix index 7f4ef6b..8888dac 100644 --- a/modules/traefik.nix +++ b/modules/traefik.nix @@ -35,7 +35,7 @@ in { "--providers.docker=true" "--providers.docker.endpoint=http://docker-socket-proxy:2375" "--providers.docker.exposedByDefault=false" - "--providers.docker.network=traefik" + "--providers.docker.network=webproxy" "--providers.file.directory=/dynamic-config" "--log.level=INFO" "--api=true" @@ -62,7 +62,7 @@ in { "443:443" ]; networks = [ - "traefik" + "webproxy" "docker-socket" ]; environmentFiles = lib.forEach cfg.dnsSecrets (secret: secret.path); @@ -102,22 +102,22 @@ in { systemd.services."docker-traefik" = { after = [ - "docker-network-traefik.service" + "docker-network-webproxy.service" "docker-network-docker-socket.service" ]; requires = [ - "docker-network-traefik.service" + "docker-network-webproxy.service" "docker-network-docker-socket.service" ]; }; - systemd.services."docker-network-traefik" = { + systemd.services."docker-network-webproxy" = { path = [ pkgs.docker ]; serviceConfig = { Type = "oneshot"; }; script = '' - docker network inspect traefik || docker network create traefik --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1 + docker network inspect webproxy || docker network create webproxy --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1 ''; };