For the record: this is the last state before nftables broke yesterday.
As far as I know, all that is missing from this to make the authentication
for wink actually work is internet access for the container (as was also
the case for hasenloch); the snippets for coredns and NAT copied from that
container led to the aforementioned firewall problem — or at least they are
the only thing I changed between deployments.
Apart from that:
this moves the proxy into the container, mostly to make keeping track of its
state (esp. the secrets file) easier should we ever decide to move this
somewhere else / delete the container, since that will just delete any
additional state of the proxy with it.
Since there was a desire for some kind of authentication in front of wink,
here is a barebones config using oauth2-proxy. It is as yet untested, since
I didn't want to deploy things right now / fiddle with the keycloak settings.
See the comments in the documentation for what must still be done to make
this work.
I acknowledge that I said I wouldn't do this, but no one else seems to care.
This adds an instance of wink for the hacc-voc to hainich. Unfortunately,
neither the actual package nor the container itself look very nixy, and
e.g. cannot be configured declaratively. On the other hand, it does not
appear the wink *has* any kind of config, so I guess there's that.
Wink itself runs in a nixos container, but I've exposed its database
to /var/lib/wink-db on the host, just to make it easier to access.
After deployment, we still need to migrate our current database to this
instance by hand (i.e. take the current database, rename it
"development.sqlite3", and move it into the wink-db directory).
Any improvements to this mess are welcome.
Since the delivery of mumble.hacc.space/murmur.hacc.space via gitlab pages
broke (for whatever reason), I've packaged the site into an ad-hoc nix
derivation, which is now delivered locally by nginx instead. This has a
couple benefits (mainly that we no longer depend on gitlab pages), but
also the downside that we can't just update the site via gitlab's CI/CD
pipelines anymore.
this removes the old (unused) config for an angel system used during the
fridays for future camp 2020. Since it was configured "by hand" and not
in a declarative manner, and since there is now an actual module
`services.engelsystem` that we already use for the divoc it seems unlikely
that we will ever need the old config again.
From Nix's point of view, this commit is equivalent to doing nothing.
Seems to work fine, except for the domain — the engelsystem tries
to load its ressources from the IP of the container instead of its
url set in the config.
This is a partial revert, reintroducing hexchen to the project.
As it turns out, I am still quite invested in the project and require
frequent access to the nix-based infrastructure.
I am no longer comfortable with putting resources into this project and
therefore request to be removed from all infrastructure. I am still
happy to help out with software I set up, but I will no longer actively
maintain any services. As far as possible, I will remove myself from all
access groups or other privileged positions related to this project.
Essentially, I'm stepping down as a maintainer. I still reserve the
right to make changes via the established change processes (Merge
Requests as well as Issues in the meta-repositories), but I will no
longer make direct changes to infrastructure without going through those
review processes.
