# for documentation on how this container works, have a look at # https://wiki.infra4future.de/books/voc-infra/page/wink-65b { pkgs, config, ...}: { containers.wink = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; # expose the wink database for easier backups / migrations bindMounts."/var/lib/wink/db" = { hostPath = "/var/lib/wink-db"; isReadOnly = false; }; config = {pkgs, config, ...}: { networking.firewall.allowedTCPPorts = [ 3000 ]; environment.systemPackages = [ pkgs.wink pkgs.v8 ]; systemd.services.wink = { enable = true; description = "Wo ist meine Winkekatze?"; wantedBy = [ "multi-user.target" ]; serviceConfig.type = "simple"; environment.HOME = "/var/lib/wink/home"; path = [ pkgs.wink pkgs.v8 ]; script = '' mkdir -p /var/lib/wink/home cd /var/lib/wink cp -r ${pkgs.wink.outPath}/* . if [ ! -f database.exists ] then rails-wrapped db:migrate db:seed RAILS_ENV=development touch database.exists fi rails-wrapped server -b [::] -p 3000 ''; }; }; }; services.nginx.virtualHosts."wink.hacc.space" = { locations."/".proxyPass = "http://${config.containers.wink.localAddress}:3000"; forceSSL = true; enableACME = true; }; services.oauth2_proxy = let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect"; in { enable = true; nginx.virtualHosts = [ "wink.hacc.space" ]; # for the keycloak side of the configuration, see the documentation at # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider provider = "keycloak"; clientID = ""; # TODO loginURL = "${keycloakurl}/auth"; redeemURL = "${keycloakurl}/token"; profileURL = "${keycloakurl}/userinfo"; validateURL = "${keycloakurl}/userinfo"; # must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET keyFile = "/var/lib/oauth2_proxy/secrets"; extraConfig = { # log format (default would also log ip addresses / users) auth_logging_format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}"; allowed_group = "hacc"; }; }; }