home / skills / rknall / claude-skills / newt-blueprint-generator
This skill generates and validates Pangolin Newt blueprint configurations in YAML or Docker labels to streamline resource setup.
npx playbooks add skill rknall/claude-skills --skill newt-blueprint-generatorReview the files below or copy the command above to add this skill to your agents.
---
name: "Newt Blueprint Generator"
description: "Generate and validate Pangolin Newt blueprint configurations in YAML or Docker Labels format. Use when creating Pangolin resource configurations, proxy resources, client resources, authentication settings, or Docker Compose blueprints."
---
# Newt Blueprint Generator
Expert assistance for creating, validating, and managing Pangolin Newt blueprint configurations.
## When to Use This Skill
This skill should be triggered when:
- Creating Pangolin blueprint configurations
- Generating YAML configuration files for Newt
- Creating Docker Compose files with Pangolin labels
- Configuring proxy resources (HTTP, TCP, UDP)
- Setting up client resources for Olm
- Configuring authentication (SSO, basic auth, pincode, password)
- Validating blueprint configurations
- Troubleshooting blueprint validation errors
- Converting between YAML and Docker Labels formats
## Overview
Pangolin Blueprints are declarative configurations that allow you to define resources and their settings in a structured format. They support two formats:
1. **YAML Configuration Files**: Standalone configuration files
2. **Docker Labels**: Configuration embedded in Docker Compose files
## Blueprint Formats
### YAML Configuration Format
YAML configs can be applied using:
- **Newt CLI**: Pass `--blueprint-file /path/to/blueprint.yaml`
- **API**: POST to `/org/{orgId}/blueprint` with base64-encoded JSON body
Example Newt usage:
```bash
newt --blueprint-file /path/to/blueprint.yaml <other-args>
```
### Docker Labels Format
For containerized applications, blueprints can be defined using Docker labels with the `pangolin.` prefix.
Enable Docker socket access:
```bash
newt --docker-socket /var/run/docker.sock <other-args>
```
Or use environment variable:
```bash
DOCKER_SOCKET=/var/run/docker.sock
```
## Resource Types
### Proxy Resources
Proxy resources expose HTTP, TCP, or UDP services through Pangolin.
#### HTTP Proxy Resource Example
```yaml
proxy-resources:
resource-nice-id-uno:
name: this is a http resource
protocol: http
full-domain: uno.example.com
host-header: example.com
tls-server-name: example.com
headers:
- name: X-Example-Header
value: example-value
- name: X-Another-Header
value: another-value
rules:
- action: allow
match: ip
value: 1.1.1.1
- action: deny
match: cidr
value: 2.2.2.2/32
- action: pass
match: path
value: /admin
targets:
- site: lively-yosemite-toad
hostname: localhost
method: http
port: 8000
- site: slim-alpine-chipmunk
hostname: localhost
path: /admin
path-match: exact
method: https
port: 8001
```
#### TCP/UDP Proxy Resource Example
```yaml
proxy-resources:
resource-nice-id-dos:
name: this is a raw resource
protocol: tcp
proxy-port: 3000
targets:
- site: lively-yosemite-toad
hostname: localhost
port: 3000
```
#### Targets-Only Resources
Simplified resources containing only target configurations:
```yaml
proxy-resources:
additional-targets:
targets:
- site: another-site
hostname: backend-server
method: https
port: 8443
- site: another-site
hostname: backup-server
method: http
port: 8080
```
**Note**: When using targets-only resources, `name` and `protocol` fields are not required.
### Client Resources
Client resources define proxied resources accessible via Olm client (SSH, RDP):
```yaml
client-resources:
client-resource-nice-id-uno:
name: this is my resource
protocol: tcp
proxy-port: 3001
hostname: localhost
internal-port: 3000
site: lively-yosemite-toad
```
## Authentication Configuration
Authentication is **off by default**. Enable by adding fields in the `auth` section.
**Note**: Authentication is only allowed on HTTP resources, not TCP/UDP.
```yaml
proxy-resources:
secure-resource:
name: Secured Resource
protocol: http
full-domain: secure.example.com
auth:
pincode: 123456
password: your-secure-password
basic-auth:
user: asdfa
password: sadf
sso-enabled: true
sso-roles:
- Member
- Admin
sso-users:
- [email protected]
whitelist-users:
- [email protected]
```
## Docker Labels Format
### Complete Docker Compose Example
```yaml
services:
newt:
image: fosrl/newt
container_name: newt
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- PANGOLIN_ENDPOINT=https://app.pangolin.net
- NEWT_ID=h1rbsgku89wf9z3
- NEWT_SECRET=z7g54mbcwkglpx1aau9gb8mzcccoof2fdbs97keoakg2pp5z
- DOCKER_SOCKET=/var/run/docker.sock
nginx1:
image: nginxdemos/hello
container_name: nginx1
labels:
# Proxy Resource Configuration
- pangolin.proxy-resources.nginx.name=nginx
- pangolin.proxy-resources.nginx.full-domain=nginx.fosrl.io
- pangolin.proxy-resources.nginx.protocol=http
- pangolin.proxy-resources.nginx.headers[0].name=X-Example-Header
- pangolin.proxy-resources.nginx.headers[0].value=example-value
# Target Configuration - port and hostname auto-detected
- pangolin.proxy-resources.nginx.targets[0].method=http
- pangolin.proxy-resources.nginx.targets[0].path=/path
- pangolin.proxy-resources.nginx.targets[0].path-match=prefix
nginx2:
image: nginxdemos/hello
container_name: nginx2
labels:
# Additional target with explicit hostname and port
- pangolin.proxy-resources.nginx.targets[1].method=http
- pangolin.proxy-resources.nginx.targets[1].hostname=nginx2
- pangolin.proxy-resources.nginx.targets[1].port=80
networks:
default:
name: pangolin_default
```
### Docker Labels Considerations
- **Automatic Discovery**: When hostname and internal port are not defined, Pangolin auto-detects from container configuration
- **Site Assignment**: If no site is specified, resource is assigned to the discovering Newt site
- **Configuration Merging**: Configuration across containers is merged to form complete resource definitions
## Configuration Properties Reference
### Proxy Resources Properties
| Property | Type | Required | Description | Constraints |
|----------|------|----------|-------------|-------------|
| `name` | string | Conditional | Human-readable name | Required unless targets-only |
| `protocol` | string | Conditional | Protocol type (`http`, `tcp`, `udp`) | Required unless targets-only |
| `full-domain` | string | HTTP only | Full domain name | Required for HTTP, must be unique |
| `proxy-port` | number | TCP/UDP only | Port for raw TCP/UDP | Required for TCP/UDP, 1-65535, must be unique |
| `ssl` | boolean | No | Enable SSL/TLS | - |
| `enabled` | boolean | No | Whether resource is enabled | Defaults to `true` |
| `host-header` | string | No | Custom Host header | - |
| `tls-server-name` | string | No | SNI name for TLS | - |
| `headers` | array | No | Custom headers | Each requires `name` and `value` (min 1 char) |
| `rules` | array | No | Access control rules | See Rules section |
| `auth` | object | HTTP only | Authentication config | See Authentication section |
| `targets` | array | Yes | Target endpoints | See Targets section |
### Target Configuration Properties
| Property | Type | Required | Description | Constraints |
|----------|------|----------|-------------|-------------|
| `site` | string | No | Site identifier | - |
| `hostname` | string | Yes | Target hostname or IP | - |
| `port` | number | Yes | Target port | 1-65535 |
| `method` | string | HTTP only | Protocol method (`http`, `https`, `h2c`) | Required for HTTP |
| `enabled` | boolean | No | Whether target is enabled | Defaults to `true` |
| `internal-port` | number | No | Internal port mapping | 1-65535 |
| `path` | string | HTTP only | Path prefix, exact, or regex | - |
| `path-match` | string | HTTP only | Path matching type (`prefix`, `exact`, `regex`) | - |
### Authentication Properties
**Not allowed on TCP/UDP resources.**
| Property | Type | Required | Description | Constraints |
|----------|------|----------|-------------|-------------|
| `pincode` | number | No | 6-digit PIN | Must be exactly 6 digits |
| `password` | string | No | Password for access | - |
| `basic-auth` | object | No | Basic auth config | Requires `user` and `password` |
| `sso-enabled` | boolean | No | Enable SSO | Defaults to `false` |
| `sso-roles` | array | No | Allowed SSO roles | Cannot include "Admin" role |
| `sso-users` | array | No | Allowed SSO user emails | Must be valid emails |
| `whitelist-users` | array | No | Whitelisted user emails | Must be valid emails |
### Rules Configuration Properties
| Property | Type | Required | Description | Constraints |
|----------|------|----------|-------------|-------------|
| `action` | string | Yes | Rule action (`allow`, `deny`, `pass`) | - |
| `match` | string | Yes | Match type (`cidr`, `path`, `ip`, `country`) | - |
| `value` | string | Yes | Value to match | Format depends on match type |
### Client Resources Properties
| Property | Type | Required | Description | Constraints |
|----------|------|----------|-------------|-------------|
| `name` | string | Yes | Human-readable name | 2-100 characters |
| `protocol` | string | Yes | Protocol type (`tcp`, `udp`) | - |
| `proxy-port` | number | Yes | Port accessible to clients | 1-65535, must be unique |
| `hostname` | string | Yes | Target hostname or IP | 1-255 characters |
| `internal-port` | number | Yes | Port on target system | 1-65535 |
| `site` | string | No | Site identifier | 2-100 characters |
| `enabled` | boolean | No | Whether resource is enabled | Defaults to `true` |
## Validation Rules and Constraints
### Resource-Level Validations
1. **Targets-Only Resources**: A resource can contain only `targets` field, making `name` and `protocol` optional
2. **Protocol-Specific Requirements**:
- **HTTP Protocol**: Must have `full-domain` and all targets must have `method` field
- **TCP/UDP Protocol**: Must have `proxy-port` and targets must NOT have `method` field
- **TCP/UDP Protocol**: Cannot have `auth` configuration
3. **Port Uniqueness**:
- `proxy-port` values must be unique within `proxy-resources`
- `proxy-port` values must be unique within `client-resources`
- Cross-validation between proxy and client resources is not enforced
4. **Domain Uniqueness**: `full-domain` values must be unique across all proxy resources
5. **Target Method Requirements**: When protocol is `http`, all non-null targets must specify a `method`
## Common Validation Errors
### "Admin role cannot be included in sso-roles"
The `Admin` role is reserved and cannot be included in the `sso-roles` array.
**Solution**: Remove "Admin" from the `sso-roles` array.
### "Duplicate 'full-domain' values found"
Each `full-domain` must be unique across all proxy resources.
**Solution**: Use different subdomains or paths for multiple resources.
### "Duplicate 'proxy-port' values found"
Port numbers in `proxy-port` must be unique within their resource type.
**Solution**: Assign unique port numbers within `proxy-resources` and `client-resources` separately.
### "When protocol is 'http', all targets must have a 'method' field"
All targets in HTTP proxy resources must specify the connection method.
**Solution**: Add `method: http`, `method: https`, or `method: h2c` to all targets.
### "When protocol is 'tcp' or 'udp', targets must not have a 'method' field"
TCP and UDP targets should not include the `method` field.
**Solution**: Remove the `method` field from TCP/UDP resource targets.
### "When protocol is 'tcp' or 'udp', 'auth' must not be provided"
Authentication is only supported for HTTP resources.
**Solution**: Remove the `auth` section from TCP/UDP resources.
### "Resource must either be targets-only or have both 'name' and 'protocol' fields"
Resources must be either targets-only or complete resource definitions.
**Solution**: Either provide only `targets` field, or include both `name` and `protocol` fields.
## Workflow for Generating Blueprints
When a user requests a Pangolin Newt blueprint configuration:
1. **Gather Requirements**:
- Resource type (proxy or client)
- Protocol (HTTP, TCP, UDP)
- Domain or port requirements
- Target endpoints (hostname, port, site)
- Authentication needs (if HTTP)
- Access control rules (if any)
- Format preference (YAML or Docker Labels)
2. **Select Format**:
- Use **YAML** for standalone configurations or API deployment
- Use **Docker Labels** for containerized applications
3. **Validate Configuration**:
- Ensure protocol-specific requirements are met
- Check for unique `full-domain` (HTTP) or `proxy-port` (TCP/UDP)
- Verify authentication is only on HTTP resources
- Confirm all HTTP targets have `method` field
- Ensure TCP/UDP targets don't have `method` field
4. **Generate Configuration**:
- Create well-structured YAML or Docker Compose file
- Include helpful comments explaining each section
- Follow naming conventions (kebab-case for resource IDs)
5. **Provide Usage Instructions**:
- Explain how to apply the configuration (Newt CLI or API)
- Document any environment variables needed
- Include validation commands if applicable
## Best Practices
1. **Resource IDs**: Use descriptive, kebab-case identifiers (e.g., `web-app-prod`, `database-backup`)
2. **Target Organization**: Group related targets under the same resource ID
3. **Security First**: Enable authentication for sensitive HTTP resources
4. **Port Management**: Document port assignments to avoid conflicts
5. **Site Assignment**: Explicitly specify `site` for multi-site deployments
6. **Path Matching**: Use `prefix` for broad matches, `exact` for specific endpoints
7. **Headers**: Add custom headers for backend requirements (e.g., X-Forwarded-* headers)
8. **Rules**: Order rules from most specific to least specific
9. **Validation**: Always validate configurations before deployment
10. **Documentation**: Include comments in YAML or Docker Compose files explaining non-obvious choices
## Resources
- **API Documentation**: https://api.pangolin.net/v1/docs/#/Organization/put_org__orgId__blueprint
- **Python Example**: https://github.com/fosrl/pangolin/blob/dev/blueprint.py
- **Official Docs**: https://docs.pangolin.net/manage/blueprints
## Example Use Cases
### Use Case 1: Simple Web Application
**Requirements**: Expose a web app running on localhost:8080 via HTTPS at app.example.com
```yaml
proxy-resources:
web-app:
name: Web Application
protocol: http
full-domain: app.example.com
targets:
- hostname: localhost
port: 8080
method: https
```
### Use Case 2: TCP Database Access
**Requirements**: Expose PostgreSQL database on port 5432
```yaml
proxy-resources:
postgres-db:
name: PostgreSQL Database
protocol: tcp
proxy-port: 5432
targets:
- hostname: localhost
port: 5432
```
### Use Case 3: Multi-Target Load Balanced HTTP Service
**Requirements**: Multiple backend servers for the same domain
```yaml
proxy-resources:
api-service:
name: API Service
protocol: http
full-domain: api.example.com
targets:
- site: site-01
hostname: backend-01
port: 8080
method: http
- site: site-02
hostname: backend-02
port: 8080
method: http
```
### Use Case 4: Secured Resource with SSO
**Requirements**: Web app with SSO authentication
```yaml
proxy-resources:
secure-app:
name: Secure Application
protocol: http
full-domain: secure.example.com
auth:
sso-enabled: true
sso-roles:
- Member
- Developer
sso-users:
- [email protected]
targets:
- hostname: localhost
port: 3000
method: https
```
## Communication Style
When generating blueprints:
- Ask clarifying questions if requirements are unclear
- Explain validation errors in plain language
- Provide complete, working examples
- Include comments for complex configurations
- Suggest security best practices proactively
- Offer both YAML and Docker Labels formats when appropriate
This skill generates and validates Pangolin Newt blueprint configurations in YAML or Docker Labels format. It helps create proxy and client resources, configure authentication and access rules, and produce Docker Compose labels for containerized deployments. Use it to ensure blueprints meet protocol-specific constraints and naming/port uniqueness rules.
Provide resource requirements (proxy vs client, protocol, domain or proxy-port, targets, auth and rules) and choose output format (YAML or Docker Labels). The skill constructs the blueprint, applies validation rules (protocol constraints, port and domain uniqueness, target method requirements, auth restrictions) and returns a ready-to-use YAML file or Docker Compose labels. It also emits clear validation errors and remediation suggestions when constraints are violated.
Can I enable authentication on TCP or UDP resources?
No. Authentication is only supported on HTTP proxy resources. Remove the auth section for TCP/UDP resources.
What causes a 'duplicate full-domain' validation error?
Each HTTP full-domain must be unique across proxy-resources. Use distinct subdomains or split into different resources to resolve this.