haccfiles/hosts/hainich/services/wink.nix

# for documentation on how this container works, have a look at
# https://wiki.infra4future.de/books/voc-infra/page/wink-65b

{ pkgs, config, ...}:

{
  containers.wink = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";
    
    # expose the wink database for easier backups / migrations
    bindMounts."/var/lib/wink/db" = {
      hostPath = "/var/lib/wink-db";
      isReadOnly = false;
    };

    config = {pkgs, config, ...}: {      
      networking.firewall.allowedTCPPorts = [ 3000 ];
      environment.systemPackages = [ pkgs.wink pkgs.v8 ];

      systemd.services.wink = {
        enable = true;
        description = "Wo ist meine Winkekatze?";
        wantedBy = [ "multi-user.target" ];
        serviceConfig.type = "simple";
        environment.HOME = "/var/lib/wink/home";
        path = [ pkgs.wink pkgs.v8 ];
        script = ''
          mkdir -p /var/lib/wink/home
          cd /var/lib/wink
          cp -r ${pkgs.wink.outPath}/* .
          if [ ! -f database.exists ]
          then
            rails-wrapped db:migrate db:seed RAILS_ENV=development
            touch database.exists
          fi
          rails-wrapped server -b [::] -p 3000
        '';
      };
    };
  };
  
  
  services.nginx.virtualHosts."wink.hacc.space" = {
    locations."/".proxyPass = "http://${config.containers.wink.localAddress}:3000";
    forceSSL = true;
    enableACME = true;
  };

  services.oauth2_proxy =
    let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect";
    in {
    enable = true;
    nginx.virtualHosts = [ "wink.hacc.space" ];

    # for the keycloak side of the configuration, see the documentation at
    # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider
    provider = "keycloak";
    clientID = ""; # TODO
    loginURL = "${keycloakurl}/auth";
    redeemURL = "${keycloakurl}/token";
    profileURL = "${keycloakurl}/userinfo";
    validateURL = "${keycloakurl}/userinfo";

    # must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET
    keyFile = "/var/lib/oauth2_proxy/secrets";

    extraConfig = {
      # log format (default would also log ip addresses / users)
      auth_logging_format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}";
      allowed_group = "hacc";
    };
  };

}
Add wink (Wo ist meine Winkekatze?) for hacc-voc This adds an instance of wink for the hacc-voc to hainich. Unfortunately, neither the actual package nor the container itself look very nixy, and e.g. cannot be configured declaratively. On the other hand, it does not appear the wink has any kind of config, so I guess there's that. Wink itself runs in a nixos container, but I've exposed its database to /var/lib/wink-db on the host, just to make it easier to access. After deployment, we still need to migrate our current database to this instance by hand (i.e. take the current database, rename it "development.sqlite3", and move it into the wink-db directory). Any improvements to this mess are welcome. 2021-02-22 14:20:07 +00:00			`# for documentation on how this container works, have a look at`
			`# https://wiki.infra4future.de/books/voc-infra/page/wink-65b`

			`{ pkgs, config, ...}:`

			`{`
			`containers.wink = {`
			`autoStart = true;`
			`privateNetwork = true;`
			`hostAddress = "192.168.100.10";`
			`localAddress = "192.168.100.11";`

			`# expose the wink database for easier backups / migrations`
			`bindMounts."/var/lib/wink/db" = {`
			`hostPath = "/var/lib/wink-db";`
			`isReadOnly = false;`
			`};`

			`config = {pkgs, config, ...}: {`
			`networking.firewall.allowedTCPPorts = [ 3000 ];`
			`environment.systemPackages = [ pkgs.wink pkgs.v8 ];`

			`systemd.services.wink = {`
			`enable = true;`
			`description = "Wo ist meine Winkekatze?";`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig.type = "simple";`
			`environment.HOME = "/var/lib/wink/home";`
			`path = [ pkgs.wink pkgs.v8 ];`
			`script = ''`
			`mkdir -p /var/lib/wink/home`
			`cd /var/lib/wink`
			`cp -r ${pkgs.wink.outPath}/* .`
			`if [ ! -f database.exists ]`
			`then`
			`rails-wrapped db:migrate db:seed RAILS_ENV=development`
			`touch database.exists`
			`fi`
			`rails-wrapped server -b [::] -p 3000`
			`'';`
			`};`
			`};`
			`};`


			`services.nginx.virtualHosts."wink.hacc.space" = {`
			`locations."/".proxyPass = "http://${config.containers.wink.localAddress}:3000";`
			`forceSSL = true;`
			`enableACME = true;`
			`};`
wink: init oauth2-proxy configuration. Since there was a desire for some kind of authentication in front of wink, here is a barebones config using oauth2-proxy. It is as yet untested, since I didn't want to deploy things right now / fiddle with the keycloak settings. See the comments in the documentation for what must still be done to make this work. I acknowledge that I said I wouldn't do this, but no one else seems to care. 2021-03-13 13:54:12 +00:00
			`services.oauth2_proxy =`
			`let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect";`
			`in {`
			`enable = true;`
			`nginx.virtualHosts = [ "wink.hacc.space" ];`

			`# for the keycloak side of the configuration, see the documentation at`
			`# https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider`
			`provider = "keycloak";`
			`clientID = ""; # TODO`
			`loginURL = "${keycloakurl}/auth";`
			`redeemURL = "${keycloakurl}/token";`
			`profileURL = "${keycloakurl}/userinfo";`
			`validateURL = "${keycloakurl}/userinfo";`

			`# must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET`
			`keyFile = "/var/lib/oauth2_proxy/secrets";`

			`extraConfig = {`
			`# log format (default would also log ip addresses / users)`
			`auth_logging_format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}";`
			`allowed_group = "hacc";`
			`};`
			`};`

Add wink (Wo ist meine Winkekatze?) for hacc-voc This adds an instance of wink for the hacc-voc to hainich. Unfortunately, neither the actual package nor the container itself look very nixy, and e.g. cannot be configured declaratively. On the other hand, it does not appear the wink has any kind of config, so I guess there's that. Wink itself runs in a nixos container, but I've exposed its database to /var/lib/wink-db on the host, just to make it easier to access. After deployment, we still need to migrate our current database to this instance by hand (i.e. take the current database, rename it "development.sqlite3", and move it into the wink-db directory). Any improvements to this mess are welcome. 2021-02-22 14:20:07 +00:00			`}`