update obs-portal dns target

This follows the official installation instructions at https://github.com/openbikesensor/portal/blob/main/docs/production-deployment.md

Unfortunately, the postgres database needs to have postgis enabled, so
we'll have to start a second instance. To stay close to the official
deployment instructions, this is running in docker.

The secrets were taken from the old installation instance. During
initial installation, we'll need to import data from the old instance
into this one, which might take a while.

flake.lock

@@ -180,11 +180,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712386041,
-        "narHash": "sha256-dA82pOMQNnCJMAsPG7AXG35VmCSMZsJHTFlTHizpKWQ=",
+        "lastModified": 1714043624,
+        "narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d6bb9f934f2870e5cbc5b94c79e9db22246141ff",
+        "rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411",
         "type": "github"
       },
       "original": {
@@ -224,11 +224,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713543876,
-        "narHash": "sha256-olEWxacm1xZhAtpq+ZkEyQgR4zgfE7ddpNtZNvubi3g=",
+        "lastModified": 1713946171,
+        "narHash": "sha256-lc75rgRQLdp4Dzogv5cfqOg6qYc5Rp83oedF2t0kDp8=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "9e7c20ffd056e406ddd0276ee9d89f09c5e5f4ed",
+        "rev": "230a197063de9287128e2c68a7a4b0cd7d0b50a7",
         "type": "github"
       },
       "original": {
@@ -255,11 +255,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713564160,
-        "narHash": "sha256-YguPZpiejgzLEcO36/SZULjJQ55iWcjAmf3lYiyV1Fo=",
+        "lastModified": 1713995372,
+        "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bc194f70731cc5d2b046a6c1b3b15f170f05999c",
+        "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
         "type": "github"
       },
       "original": {
@@ -405,11 +405,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1713537308,
-        "narHash": "sha256-XtTSSIB2DA6tOv+l0FhvfDMiyCmhoRbNB+0SeInZkbk=",
+        "lastModified": 1713895582,
+        "narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5c24cf2f0a12ad855f444c30b2421d044120c66f",
+        "rev": "572af610f6151fd41c212f897c71f7056e3fb518",
         "type": "github"
       },
       "original": {

hosts/nachtigall/apps/obs-portal.nix

@@ -0,0 +1,140 @@
+{ config
+, lib
+, pkgs
+, self
+, flake
+, ...
+}: let 
+  configPy = pkgs.writeText "obs-portal-config.py" ''
+DEBUG = False
+VERBOSE = DEBUG
+AUTO_RESTART = DEBUG
+LEAN_MODE = False
+FRONTEND_URL = None
+FRONTEND_HTTPS = True
+FRONTEND_DIR = "../frontend/build/"
+FRONTEND_CONFIG = {
+    "imprintUrl": "https://pub.solar/about",
+    "privacyPolicyUrl": "https://pub.solar/privacy",
+    "mapHome": {"zoom": 12, "latitude": 50.93, "longitude": 6.97},
+    "banner": {
+        "text": "This is an installation serving the Cologne/Bonn region run for Team OBSKöln by pub.solar n.e.V.",
+        "style": "info"
+    },
+}
+TILES_FILE = None
+ADDITIONAL_CORS_ORIGINS = None
+  '';
+
+  env = {
+    OBS_KEYCLOAK_URI = "auth.pub.solar";
+    OBS_PORTAL_URI = "obs-portal.pub.solar";
+
+    OBS_POSTGRES_MAX_OVERFLOW = "20";
+    OBS_POSTGRES_POOL_SIZE = "40";
+
+    OBS_HOST = "0.0.0.0";
+    OBS_PORT = "3000";
+    OBS_KEYCLOAK_URL = "https://auth.pub.solar/realms/pub.solar/";
+    OBS_KEYCLOAK_CLIENT_ID = "openbikesensor-portal";
+    OBS_DEDICATED_WORKER = "True";
+    OBS_DATA_DIR = "/data";
+    OBS_PROXIES_COUNT = "1";
+  };
+in {
+  age.secrets.obs-portal-env = {
+    file = "${flake.self}/secrets/obs-portal-env.age";
+    mode = "600";
+  };
+
+  age.secrets.obs-portal-database-env = {
+    file = "${flake.self}/secrets/obs-portal-database-env.age";
+    mode = "600";
+  };
+
+  systemd.services."docker-network-obs-portal" =
+    let
+      docker = config.virtualisation.oci-containers.backend;
+      dockerBin = "${pkgs.${docker}}/bin/${docker}";
+    in
+    {
+      serviceConfig.Type = "oneshot";
+      before = [ "docker-obs-portal.service" ];
+      script = ''
+        ${dockerBin} network inspect obs-portal-net >/dev/null 2>&1 || ${dockerBin} network create obs-portal-net --subnet 172.20.0.0/24
+      '';
+    };
+
+  services.nginx.virtualHosts."obs-portal.pub.solar" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_pass http://127.0.0.1:3001;
+        proxy_set_header Host $host;
+      '';
+    };
+  };
+
+  virtualisation = {
+    oci-containers = {
+      backend = "docker";
+
+      containers."obs-portal" = {
+        image = "git.pub.solar/pub-solar/obs-portal:latest";
+        autoStart = true;
+        ports = [ "localhost:3001:${env.OBS_PORT}" ];
+
+        environment = env;
+        environmentFiles = [ config.age.secrets.obs-portal-env.path ];
+
+        volumes = [
+          "${configPy}:/opt/obs/api/config.py"
+          "/var/lib/obs-portal${env.OBS_DATA_DIR}:${env.OBS_DATA_DIR}"
+          "/var/lib/obs-portal/tiles/:/tiles"
+          "/var/lib/obs-portal/pbf/:/pbf"
+        ];
+
+        extraOptions = [
+          "--network=obs-portal-net"
+        ];
+      };
+
+      containers."obs-portal-worker" = {
+        image = "git.pub.solar/pub-solar/obs-portal:latest";
+        autoStart = true;
+
+        cmd = [ "python" "tools/process_track.py" ];
+
+        environment = env;
+        environmentFiles = [ config.age.secrets.obs-portal-env.path ];
+
+        volumes = [
+          "${configPy}:/opt/obs/api/config.py"
+          "/var/lib/obs-portal${env.OBS_DATA_DIR}:${env.OBS_DATA_DIR}"
+        ];
+
+        extraOptions = [
+          "--network=obs-portal-net"
+        ];
+      };
+
+      containers."obs-portal-db" = {
+        image = "openmaptiles/postgis:7.0";
+        autoStart = true;
+
+        environmentFiles = [ config.age.secrets.obs-portal-database-env.path ];
+
+        volumes = [
+          "/var/lib/postgres-obs-portal/data:/var/lib/postgresql/data"
+        ];
+
+        extraOptions = [
+          "--network=obs-portal-net"
+        ];
+      };
+    };
+  };
+}

hosts/nachtigall/default.nix

@@ -32,6 +32,7 @@
       ./apps/promtail.nix
       ./apps/searx.nix
       ./apps/tmate.nix
+      ./apps/obs-portal.nix
 
       ./apps/matrix/irc.nix
       ./apps/matrix/mautrix-telegram.nix

secrets/obs-portal-database-env.age

@@ -0,0 +1,27 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg hAoEiOaK1U0HImALePEYHiE6xebOOqtVujaBWgNBZF8
+ecf/ykqYPihRJxI/Y7Oh6QhWSyncwevlzEZoRqm3aGM
+-> ssh-ed25519 uYcDNw NcIttsTn6wPCmoOYGtZ66IYhthjLDI3sYFe4pbW6cB4
+9hv4dEYoXXWSZ2pG1hy68vmTf++v+g3q7wVhT6cAog0
+-> ssh-rsa kFDS0A
+KoW3J2Tw90chM6Oy17umOQN0WFI4je7CBk3IgdImsd4Mz5q17/nXlhVlFFhx4ZEk
+Or9LaqytVk1NA6J4+suMRlx4Pd6oberXu1KBkFQMr1B3LKhNOaOZ+W1mrbQLGG9U
+YUTyOpkHxVkw0IOsvxB/0reMCHtjKHo661zFjim1YFmEk0WRt4hU1XqsMNiE4wbc
+GF0t9EWMN2pU2p7DpX/DzVTqu8yk8SQhCZc9kfzWcuawwf0rcjwUJ/Rk1MH5tMpK
+odRXXl1slPPwQinE+KJqeyrfuRDHqwqmxnOfOWG6KQwWkVSE1btiHEvfuuLOjSjl
+3wO+veRC9hW5sSCPANoFbuSQ1dprmoyaZnOyeRTbgw91ks/ogLBezF/KSkaMQeHx
+XRnfcceBmeeqHl9L3Z+3EmBjwIqu2Og0pvhDU8G/ZeA0cHS/22QYGzeD/gOqaEW7
+d1VyA6LZd8PxIjoBamdipIpY0TqZ8+cA/yaUKNnYXXRSlKQ5ggPxh7ZXfvRbGg+m
+WbNiHxBPcTK7/Bpzes4LJVcx0Ar4XeDxVQe1MITLpFWh+FDEQZEA3630JngZ153J
+vBvw+VFedPSr6Ov+/33/J3LKC0XRatGnc++AWfo4rWPLCE6qovEDyY+wmct8gv0j
+rMEK7OaNfyy+Z21mjrkwcEUbyoGt9ksEplaRblE0Lsk
+-> ssh-ed25519 YFSOsg LmLRtBYMSzjid3VkUgAQvDOS9r0imWSKE7fm0t/x41Y
+0mae0vsNmaS5aVOKezXit7KV44JKLpU+GWpuA++dCVo
+-> ssh-ed25519 iHV63A Tc2z2JciftAikoj4Hv9IBgkcYWAcyGuPJTNA3Yw2K1w
+cO5o/pbaZAtTvXUskOah9vWP/Tuvyi3QDM7g4AQ+b8s
+-> ssh-ed25519 BVsyTA mk6n6ytaI4V9JVoUZFtwfFOgaLYc6gvVOcSZXQj/FVI
+etqbUCqe0eY81qaVco7pMJjhfM+sA/bXLMW0bEsCLxI
+--- CmNq6ZPxFoFTsySVfr7BTHV0tm9cbRYGG6IR7DNgbEY
+!è烈í}
+ùSê<>ŸSl®Ds;!ÁjršZçR"—ë#ž­¿»ÙÅ~!›Ÿ¤6AùwEn ? kËAcx~—ŽÜGVæ&M¯ý¾ä,
+a›U

secrets/secrets.nix

@@ -64,4 +64,7 @@ in
 
   "nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys;
   "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ adminKeys;
+
+  "obs-portal-env.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "obs-portal-database-env.age".publicKeys = nachtigallKeys ++ adminKeys;
 }

terraform/dns.tf

@@ -36,8 +36,8 @@ resource "namecheap_domain_records" "pub-solar" {
   }
   record {
     hostname = "obs-portal"
-    type = "A"
-    address = "80.71.153.210"
+    type = "CNAME"
+    address = "nachtigall.pub.solar."
   }
   record {
     hostname = "vpn"