wink: oauth2_proxy half-working

For the record: this is the last state before nftables broke yesterday.
As far as I know, all that is missing from this to make the authentication
for wink actually work is internet access for the container (as was also
the case for hasenloch); the snippets for coredns and NAT copied from that
container led to the aforementioned firewall problem — or at least they are
the only thing I changed between deployments.

Apart from that:
this moves the proxy into the container, mostly to make keeping track of its
state (esp. the secrets file) easier should we ever decide to move this
somewhere else / delete the container, since that will just delete any
additional state of the proxy with it.

services/wink.nix

@@ -9,15 +9,10 @@
     privateNetwork = true;
     hostAddress = "192.168.100.10";
     localAddress = "192.168.100.11";
-    
-    # expose the wink database for easier backups / migrations
-    bindMounts."/var/lib/wink/db" = {
-      hostPath = "/var/lib/wink-db";
-      isReadOnly = false;
-    };
+
 
     config = {pkgs, config, ...}: {      
-      networking.firewall.allowedTCPPorts = [ 3000 ];
+      networking.firewall.allowedTCPPorts = [ 8000 ];
       environment.systemPackages = [ pkgs.wink pkgs.v8 ];
 
       systemd.services.wink = {
@@ -39,39 +34,47 @@
           rails-wrapped server -b [::] -p 3000
         '';
       };
+
+      services.oauth2_proxy =
+        let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect";
+        in {
+          enable = true;
+          #nginx.virtualHosts = [ "matrix.hacc.space" ];
+          upstream = "http://localhost:3000";
+          httpAddress = "http//0.0.0.0:8000";
+
+          email.domains = [ "*" ];
+
+          # for the keycloak side of the configuration, see the documentation at
+          # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider
+          provider = "keycloak";
+          clientID = "winktest"; # TODO
+          loginURL = "${keycloakurl}/auth";
+          redeemURL = "${keycloakurl}/token";
+          profileURL = "${keycloakurl}/userinfo";
+          validateURL = "${keycloakurl}/userinfo";
+
+          # must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET
+          keyFile = "/var/lib/oauth2_proxy/secrets";
+
+          extraConfig = {
+            # log format (default would also log ip addresses / users)
+            auth-logging-format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}";
+            #allowed_group = "hacc";
+          };
+        };
+
+
     };
   };
-  
-  
-  services.nginx.virtualHosts."wink.hacc.space" = {
-    locations."/".proxyPass = "http://${config.containers.wink.localAddress}:3000";
+
+
+  services.nginx.virtualHosts."matrix.hacc.space" = {
+    locations."/".proxyPass = "http://${config.containers.wink.localAddress}:8000";
     forceSSL = true;
     enableACME = true;
   };
 
-  services.oauth2_proxy =
-    let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect";
-    in {
-    enable = true;
-    nginx.virtualHosts = [ "wink.hacc.space" ];
 
-    # for the keycloak side of the configuration, see the documentation at
-    # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider
-    provider = "keycloak";
-    clientID = ""; # TODO
-    loginURL = "${keycloakurl}/auth";
-    redeemURL = "${keycloakurl}/token";
-    profileURL = "${keycloakurl}/userinfo";
-    validateURL = "${keycloakurl}/userinfo";
-
-    # must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET
-    keyFile = "/var/lib/oauth2_proxy/secrets";
-
-    extraConfig = {
-      # log format (default would also log ip addresses / users)
-      auth_logging_format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}";
-      allowed_group = "hacc";
-    };
-  };
 
 }