Use netbird url for GeoLite city database download in pocket-id

Update flake.lock
Add DBeaver as lazy app
2026-05-04 01:50:25 +02:00 · 2026-05-04 01:50:08 +02:00 · 2026-05-04 01:49:50 +02:00 · 2026-04-30 23:19:59 +02:00 · 2026-04-30 23:16:58 +02:00 · 2026-04-30 23:16:06 +02:00
10 changed files with 172 additions and 42 deletions
--- a/flake.lock
+++ b/flake.lock
@ -50,11 +50,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1776613567,
-        "narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=",
+        "lastModified": 1777713215,
+        "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d",
+        "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
        "type": "github"
      },
      "original": {
@ -144,11 +144,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775425411,
-        "narHash": "sha256-KY6HsebJHEe5nHOWP7ur09mb0drGxYSzE3rQxy62rJo=",
+        "lastModified": 1777771528,
+        "narHash": "sha256-YycygK6n7KeW1YCobdFJcORWzkmrvNcp6xT+IovA0d4=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "0d02ec1d0a05f88ef9e74b516842900c41f0f2fe",
+        "rev": "0585fbf645640973e3398863bbaf3bd1ddce4a51",
        "type": "github"
      },
      "original": {
@ -181,11 +181,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1776983936,
-        "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
+        "lastModified": 1777796046,
+        "narHash": "sha256-bEJp/zaQApzynGRaAO62BZSz9tFikKtIHCn2yIA/s7Q=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
+        "rev": "eeb02f6e29fc8139c0b15af5ff0fdfdc6d0d3d90",
        "type": "github"
      },
      "original": {
@ -197,11 +197,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1776734388,
-        "narHash": "sha256-vl3dkhlE5gzsItuHoEMVe+DlonsK+0836LIRDnm6MXQ=",
+        "lastModified": 1777673416,
+        "narHash": "sha256-5c2POKPOjU40Kh0MirOdScBLG0bu9TAuPYAtPRNZMBs=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "10e7ad5bbcb421fe07e3a4ad53a634b0cd57ffac",
+        "rev": "26ef669cffa904b6f6832ab57b77892a37c1a671",
        "type": "github"
      },
      "original": {
@ -261,11 +261,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1776877367,
-        "narHash": "sha256-EHq1/OX139R1RvBzOJ0aMRT3xnWyqtHBRUBuO1gFzjI=",
+        "lastModified": 1777578337,
+        "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "0726a0ecb6d4e08f6adced58726b95db924cef57",
+        "rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
        "type": "github"
      },
      "original": {
@ -307,11 +307,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1775228763,
-        "narHash": "sha256-8fKOEOouCaPZLBTdWPS+uU0bxsPp1OmfloDNoNSiu8w=",
+        "lastModified": 1777731636,
+        "narHash": "sha256-OkFcWIKnrl0n5ULcFnzmLjdfD7Z8IHtYLge3e7EuARs=",
        "owner": "SaumonNet",
        "repo": "proxmox-nixos",
-        "rev": "e803cb839e5e5207fa37d92bc6ac7290f4dba633",
+        "rev": "22b690085bfb2b82cbbc8e9d637a67c9c704b6db",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -143,6 +143,9 @@

        specialArgs = {
          inherit inputs outputs;
+          pkgs-unstable = import nixpkgs-unstable {
+            inherit system;
+          };
        };

        modules = [
@ -177,7 +180,6 @@
          inherit inputs outputs;
          pkgs-unstable = import nixpkgs-unstable {
            inherit system;
-            config.allowUnfree = true;
          };
        };

--- a/hosts/busch-main-docker/default.nix
+++ b/hosts/busch-main-docker/default.nix
@ -1,4 +1,4 @@
-{ inputs, outputs, config, lib, pkgs, ... }:
+{ inputs, outputs, config, lib, pkgs, pkgs-unstable, ... }:

 {
  imports =
@ -12,6 +12,7 @@
      ../../modules/server-cli.nix
      ../../modules/sshd.nix
      ../../modules/docker.nix
+      ../../modules/netbird-client.nix
      "${inputs.secrets}/modules/opkssh.nix"

      # Include the results of the hardware scan.
@ -26,6 +27,13 @@
  };
  networking.hostName = "docker-main"; # Define your hostname.

+  services.netbird-client = {
+    enable = true;
+    managementUrl = "https://netbird.jfreudenberger.de";
+    host.setupKey = "DB64713B-FB23-49F1-A4A7-9B9E37B585D4";
+    docker.setupKey = "B9ECD884-B445-4156-8643-D0F34D64C200";
+  };
+
  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  # Most users should NEVER change this value after the initial install, for any reason,
--- a/hosts/srv03/default.nix
+++ b/hosts/srv03/default.nix
@ -1,4 +1,4 @@
-{ inputs, outputs, config, lib, pkgs, ... }:
+{ inputs, outputs, config, lib, pkgs, pkgs-unstable, ... }:

 {
  imports =
@ -17,6 +17,8 @@
      ../../modules/traefik.nix
      ../../modules/pocket-id.nix
      ../../modules/netbird-docker.nix
+      ../../modules/netbird-client.nix
+      ../../modules/dockhand.nix
      ../../modules/auto-upgrade.nix
      "${inputs.secrets}/modules/opkssh.nix"
      # Include the results of the hardware scan.
@ -44,6 +46,11 @@
      environmentFile = config.age.secrets.pocket-id.path;
    };

+    dockhand = {
+      enable = true;
+      appUrl = "dockhand.jfreudenberger.de";
+    };
+
    netbird-docker = {
      enable = true;
      secrets = config.age.secrets.netbird-server;
@ -59,10 +66,16 @@
      management.domain = domain;
      dashboard.domain = domain;
      signal.domain = domain;
-      management.oidcConfigEndpoint = "https://login.jfreudenberger.de/.well-known/openid-configuration";
    };
  };

+  services.netbird-client = {
+    enable = true;
+    managementUrl = "https://netbird.jfreudenberger.de";
+    host.setupKey = "B57B7B1D-AFBF-4D73-91F5-014A0D8645A4";
+    docker.setupKey = "F49C8243-DB76-4C8C-9136-25498D72B494";
+  };
+
  systemd.network = {
    enable = true;
      networks."10-wan" = {
--- a/modules/dockhand.nix
+++ b/modules/dockhand.nix
@ -17,7 +17,7 @@ in {
  config = lib.mkIf cfg.enable {
    virtualisation.oci-containers.containers = {
      dockhand = {
-        image = "fnsys/dockhand:v1.0.12";
+        image = "fnsys/dockhand:v1.0.27";
        volumes = [
          "/var/run/docker.sock:/var/run/docker.sock"
        ];
@ -26,16 +26,8 @@ in {
          PGID = "1000";
        };
        networks = [
-          "pangolin"
+          "webproxy"
        ];
-        labels = {
-          "pangolin.public-resources.dockhand.name" = "dockhand";
-          "pangolin.public-resources.dockhand.full-domain" = cfg.appUrl;
-          "pangolin.public-resources.dockhand.protocol" = "http";
-          "pangolin.public-resources.dockhand.auth.sso-enabled" = "true";
-          "pangolin.public-resources.dockhand.auth.auto-login-idp" = "1";
-          "pangolin.public-resources.dockhand.targets[0].method" = "http";
-        };
        extraOptions = [
          ''--mount=type=volume,source=dockhand-data,target=/app/data,volume-driver=local''
          ''--group-add=${toString config.ids.gids.docker}''
--- a/modules/gui-coding.nix
+++ b/modules/gui-coding.nix
@ -11,6 +11,21 @@
    zed-editor.fhs

    k6
+
+    (pkgs.lazy-app.override {
+      pkg = pkgs.dbeaver-bin;
+      desktopItem = pkgs.makeDesktopItem {
+        name = "DBeaver";
+        exec = "env NO_AT_BRIDGE=1 dbeaver %U";
+        icon = "dbeaver";
+        desktopName = "DBeaver";
+        comment = "SQL Integrated Development Environment";
+        categories = [ "IDE" "Development" ];
+        mimeTypes = [
+          "application/sql"
+        ];
+      };
+    })
  ];

 }
--- a/modules/netbird-client.nix
+++ b/modules/netbird-client.nix
@ -0,0 +1,99 @@
+{
+  pkgs,
+  pkgs-unstable,
+  utils,
+  config,
+  lib,
+  ...
+}:
+let
+
+  cfg = config.services.netbird-client;
+
+  clientVersion = "0.69.0";
+
+  clientConfiguration = lib.types.submodule {
+    options = {
+      setupKey = lib.mkOption {
+        description = "Setup Key for this client";
+        type = lib.types.str;
+      };
+    };
+  };
+
+in {
+
+  options.services.netbird-client = {
+    enable = lib.mkEnableOption "Netbird client, with possiblities for host connection and for docker based connection.";
+    managementUrl = lib.mkOption {
+      description = "Management URL of netbird server.";
+      type = lib.types.str;
+    };
+    host = lib.mkOption {
+      description = "Configuration for host connection";
+      type = clientConfiguration;
+    };
+    docker = lib.mkOption {
+      description = "Configuration for docker connection";
+      type = clientConfiguration;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.netbird = {
+      package = pkgs-unstable.netbird;
+      useRoutingFeatures = "both";
+      clients.wt0 = {
+        hardened = false;
+        login = {
+          enable = true;
+          setupKeyFile = (pkgs.writeText "setupKey" cfg.host.setupKey).outPath;
+        };
+        port = 51820;
+        environment = {
+          NB_MANAGEMENT_URL = cfg.managementUrl;
+        };
+      };
+    };
+    systemd.services.${config.services.netbird.clients.wt0.service.name}.path = [ pkgs.shadow ];
+
+    virtualisation.oci-containers.containers = {
+      netbird = {
+        image = "netbirdio/netbird:${clientVersion}-rootless";
+        autoStart = true;
+        hostname = "${config.networking.hostName}-docker";
+        networks = [
+          "webproxy"
+        ];
+        environment = {
+          NB_MANAGEMENT_URL = cfg.managementUrl;
+          PEER_NAME = "${config.networking.hostName}-docker";
+          NB_SETUP_KEY = cfg.docker.setupKey;
+        };
+        extraOptions = [
+          ''--mount=type=volume,source=netbird_client_data,target=/var/lib/netbird,volume-driver=local''
+        ];
+      };
+    };
+
+    systemd.services."docker-netbird" = {
+      after = [
+        "docker-network-webproxy.service"
+      ];
+      requires = [
+        "docker-network-webproxy.service"
+      ];
+    };
+
+
+    systemd.services."docker-network-webproxy" = {
+      path = [ pkgs.docker ];
+      serviceConfig = {
+        Type = "oneshot";
+      };
+      script = ''
+        docker network inspect webproxy || docker network create webproxy --ipv4 --ipv6 --subnet=172.20.0.0/16 --gateway=172.20.0.1
+      '';
+    };
+  };
+}
--- a/modules/netbird-docker.nix
+++ b/modules/netbird-docker.nix
@ -54,7 +54,7 @@ in {
        image = "netbirdio/dashboard:v${dashboardVersion}";
        autoStart = true;
        networks = [
-          "webproxy"
+          "traefik"
        ];
        environment = {
          NETBIRD_MGMT_API_ENDPOINT = "https://${netbirdCfg.server.management.domain}";
@ -88,7 +88,7 @@ in {
        image = "netbirdio/netbird-server:${serverVersion}";
        autoStart = true;
        networks = [
-          "webproxy"
+          "traefik"
        ];
        entrypoint = "/bin/sh";
        cmd = [
@ -169,7 +169,7 @@ in {
          "51820:51820/udp"
        ];
        networks = [
-          "webproxy"
+          "traefik"
        ];
        dependsOn = [
          "netbird-server"
--- a/modules/pocket-id.nix
+++ b/modules/pocket-id.nix
@ -21,12 +21,13 @@ in {
        image = "ghcr.io/pocket-id/pocket-id:v${version}";
        autoStart = true;
        networks = [
-          "webproxy"
+          "traefik"
        ];
        environment = {
          APP_URL = pocketidCfg.settings.APP_URL;
          TRUST_PROXY = lib.boolToString pocketidCfg.settings.TRUST_PROXY;
          ANALYTICS_DISABLED = lib.boolToString pocketidCfg.settings.ANALYTICS_DISABLED;
+          GEOLITE_DB_URL = "https://pkgs.netbird.io/geolocation-dbs/GeoLite2-City/download?suffix=tar.gz";
        };
        environmentFiles = [ pocketidCfg.environmentFile ];
        extraOptions = [
--- a/modules/traefik.nix
+++ b/modules/traefik.nix
@ -35,7 +35,7 @@ in {
          "--providers.docker=true"
          "--providers.docker.endpoint=http://docker-socket-proxy:2375"
          "--providers.docker.exposedByDefault=false"
-          "--providers.docker.network=webproxy"
+          "--providers.docker.network=traefik"
          "--providers.file.directory=/dynamic-config"
          "--log.level=INFO"
          "--api=true"
@ -62,7 +62,7 @@ in {
          "443:443"
        ];
        networks = [
-          "webproxy"
+          "traefik"
          "docker-socket"
        ];
        environmentFiles = lib.forEach cfg.dnsSecrets (secret: secret.path);
@ -102,22 +102,22 @@ in {

    systemd.services."docker-traefik" = {
      after = [
-        "docker-network-webproxy.service"
+        "docker-network-traefik.service"
        "docker-network-docker-socket.service"
      ];
      requires = [
-        "docker-network-webproxy.service"
+        "docker-network-traefik.service"
        "docker-network-docker-socket.service"
      ];
    };

-    systemd.services."docker-network-webproxy" = {
+    systemd.services."docker-network-traefik" = {
      path = [ pkgs.docker ];
      serviceConfig = {
        Type = "oneshot";
      };
      script = ''
-        docker network inspect webproxy || docker network create webproxy --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1
+        docker network inspect traefik || docker network create traefik --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1
      '';
    };
Author	SHA1	Message	Date
JuliusFreudenberger	c9326284d3	Use netbird url for GeoLite city database download in pocket-id	2026-05-04 01:50:25 +02:00
JuliusFreudenberger	1678716c57	Update flake.lock	2026-05-04 01:50:08 +02:00
JuliusFreudenberger	7a7901ab59	Add DBeaver as lazy app	2026-05-04 01:49:50 +02:00
JuliusFreudenberger	a822cef7e7	Update flake.lock	2026-04-30 23:19:59 +02:00
JuliusFreudenberger	5cc1be31ad	Enable dockhand on srv03	2026-04-30 23:16:58 +02:00
JuliusFreudenberger	cb0104fbad	Update dockhand module to new reverse proxy setup with netbird	2026-04-30 23:16:06 +02:00
JuliusFreudenberger	0b8faa3328	Add netbird client to busch-main-docker	2026-04-30 23:09:59 +02:00
JuliusFreudenberger	0e9998b94a	Enable netbird client on srv03	2026-04-30 23:08:42 +02:00
JuliusFreudenberger	496bbb8271	Add combined module for netbird client native and in container Native will be used for SSH access, the container is rootless and will be used for reverse proxying services.	2026-04-30 23:06:41 +02:00
JuliusFreudenberger	adaaaa9602	Remove unused oidcEndpoint setting for netbird	2026-04-30 23:05:23 +02:00
JuliusFreudenberger	90b63bd24f	Rename traefik network to traefik Webproxy is the name intended for the network where the netbird container used for proxying resides.	2026-04-30 23:04:04 +02:00