diff --git a/hosts/hainich/services/wink.nix b/hosts/hainich/services/wink.nix index f279632..689be72 100644 --- a/hosts/hainich/services/wink.nix +++ b/hosts/hainich/services/wink.nix @@ -9,15 +9,10 @@ privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; - - # expose the wink database for easier backups / migrations - bindMounts."/var/lib/wink/db" = { - hostPath = "/var/lib/wink-db"; - isReadOnly = false; - }; + config = {pkgs, config, ...}: { - networking.firewall.allowedTCPPorts = [ 3000 ]; + networking.firewall.allowedTCPPorts = [ 8000 ]; environment.systemPackages = [ pkgs.wink pkgs.v8 ]; systemd.services.wink = { @@ -39,39 +34,47 @@ rails-wrapped server -b [::] -p 3000 ''; }; + + services.oauth2_proxy = + let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect"; + in { + enable = true; + #nginx.virtualHosts = [ "matrix.hacc.space" ]; + upstream = "http://localhost:3000"; + httpAddress = "http//0.0.0.0:8000"; + + email.domains = [ "*" ]; + + # for the keycloak side of the configuration, see the documentation at + # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider + provider = "keycloak"; + clientID = "winktest"; # TODO + loginURL = "${keycloakurl}/auth"; + redeemURL = "${keycloakurl}/token"; + profileURL = "${keycloakurl}/userinfo"; + validateURL = "${keycloakurl}/userinfo"; + + # must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET + keyFile = "/var/lib/oauth2_proxy/secrets"; + + extraConfig = { + # log format (default would also log ip addresses / users) + auth-logging-format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}"; + #allowed_group = "hacc"; + }; + }; + + }; }; - - - services.nginx.virtualHosts."wink.hacc.space" = { - locations."/".proxyPass = "http://${config.containers.wink.localAddress}:3000"; + + + services.nginx.virtualHosts."matrix.hacc.space" = { + locations."/".proxyPass = "http://${config.containers.wink.localAddress}:8000"; forceSSL = true; enableACME = true; }; - services.oauth2_proxy = - let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect"; - in { - enable = true; - nginx.virtualHosts = [ "wink.hacc.space" ]; - # for the keycloak side of the configuration, see the documentation at - # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider - provider = "keycloak"; - clientID = ""; # TODO - loginURL = "${keycloakurl}/auth"; - redeemURL = "${keycloakurl}/token"; - profileURL = "${keycloakurl}/userinfo"; - validateURL = "${keycloakurl}/userinfo"; - - # must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET - keyFile = "/var/lib/oauth2_proxy/secrets"; - - extraConfig = { - # log format (default would also log ip addresses / users) - auth_logging_format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}"; - allowed_group = "hacc"; - }; - }; }