In theory, this should work without that option (by getting the correct domain
from the nginx reverse proxy via IP header), but apparently it doesn't.
Also, I moved wink to wink2.hacc.space
For the record: this is the last state before nftables broke yesterday.
As far as I know, all that is missing from this to make the authentication
for wink actually work is internet access for the container (as was also
the case for hasenloch); the snippets for coredns and NAT copied from that
container led to the aforementioned firewall problem — or at least they are
the only thing I changed between deployments.
Apart from that:
this moves the proxy into the container, mostly to make keeping track of its
state (esp. the secrets file) easier should we ever decide to move this
somewhere else / delete the container, since that will just delete any
additional state of the proxy with it.
Since there was a desire for some kind of authentication in front of wink,
here is a barebones config using oauth2-proxy. It is as yet untested, since
I didn't want to deploy things right now / fiddle with the keycloak settings.
See the comments in the documentation for what must still be done to make
this work.
I acknowledge that I said I wouldn't do this, but no one else seems to care.
This adds an instance of wink for the hacc-voc to hainich. Unfortunately,
neither the actual package nor the container itself look very nixy, and
e.g. cannot be configured declaratively. On the other hand, it does not
appear the wink *has* any kind of config, so I guess there's that.
Wink itself runs in a nixos container, but I've exposed its database
to /var/lib/wink-db on the host, just to make it easier to access.
After deployment, we still need to migrate our current database to this
instance by hand (i.e. take the current database, rename it
"development.sqlite3", and move it into the wink-db directory).
Any improvements to this mess are welcome.
