Since there was a desire for some kind of authentication in front of wink,
here is a barebones config using oauth2-proxy. It is as yet untested, since
I didn't want to deploy things right now / fiddle with the keycloak settings.
See the comments in the documentation for what must still be done to make
this work.
I acknowledge that I said I wouldn't do this, but no one else seems to care.
This adds an instance of wink for the hacc-voc to hainich. Unfortunately,
neither the actual package nor the container itself look very nixy, and
e.g. cannot be configured declaratively. On the other hand, it does not
appear the wink *has* any kind of config, so I guess there's that.
Wink itself runs in a nixos container, but I've exposed its database
to /var/lib/wink-db on the host, just to make it easier to access.
After deployment, we still need to migrate our current database to this
instance by hand (i.e. take the current database, rename it
"development.sqlite3", and move it into the wink-db directory).
Any improvements to this mess are welcome.