excluded resolver

.gitea/workflows/deploy.yml

@@ -10,19 +10,14 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Log in to i80 registry
-        uses: docker/login-action@v3
-        with:
-          registry: registry.i80.dk
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
+      - name: Build Docker image
+        run: docker build -t registry.i80.dk/moneycapp-tink-demo:latest .
 
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          push: true
-          tags: registry.i80.dk/moneycapp-tink-demo:latest
+      - name: Push to i80 registry
+        run: |
+          echo "${{ secrets.REGISTRY_TOKEN }}" | docker login registry.i80.dk \
+            -u "${{ secrets.REGISTRY_USER }}" --password-stdin
+          docker push registry.i80.dk/moneycapp-tink-demo:latest
 
       - name: Deploy to Nomad
         env:

Makefile

@@ -1,4 +1,7 @@
-.PHONY: install run dev docker-build docker-up docker-down test clean
+.PHONY: install run dev docker-build docker-up docker-down push deploy logs vault-setup test clean
+
+REGISTRY = registry.i80.dk
+IMAGE    = $(REGISTRY)/moneycapp-tink-demo
 
 install:
 	python3 -m venv .venv && .venv/bin/pip install -q -r requirements.txt
@@ -20,5 +23,28 @@ docker-up:
 docker-down:
 	docker compose down
 
+# --- Deploy to i80.dk ---
+
+push:
+	docker build --platform linux/amd64 -t $(IMAGE):latest .
+	docker push $(IMAGE):latest
+	@echo "✓ Image pushed to $(IMAGE):latest"
+
+vault-setup:
+	@echo "Storing Tink credentials in Vault..."
+	vault kv put secret/moneycapp-tink-demo \
+		client_id=$(TINK_CLIENT_ID) \
+		client_secret=$(TINK_CLIENT_SECRET) \
+		session_secret=$$(openssl rand -hex 32)
+	@echo "✓ Vault secret stored at secret/moneycapp-tink-demo"
+
+deploy: push
+	scp moneycapp-tink-demo.nomad autobox.i80.dk:/tmp/
+	ssh autobox.i80.dk 'export NOMAD_ADDR=https://nomad.i80.dk:4646 && nomad job run /tmp/moneycapp-tink-demo.nomad'
+	@echo "✓ Deployed — https://tink-demo.i80.dk"
+
+logs:
+	ssh autobox.i80.dk 'export NOMAD_ADDR=https://nomad.i80.dk:4646 && nomad alloc logs -job moneycapp-tink-demo'
+
 clean:
 	rm -rf .venv __pycache__ src/__pycache__ src/**/__pycache__

moneycapp-tink-demo.nomad

@@ -13,7 +13,9 @@ job "moneycapp-tink-demo" {
       name = "moneycapp-tink-demo"
       port = "http"
       tags = ["traefik.enable=true",
-              "traefik.http.routers.tink-demo.rule=Host(`tink-demo.i80.dk`)"]
+              "traefik.http.routers.tink-demo.rule=Host(`tink-demo.i80.dk`)",
+              "traefik.http.routers.tink-demo.tls=true",
+              "traefik.http.routers.tink-demo.tls.certresolver=le"]
       check {
         type     = "http"
         path     = "/"
@@ -31,22 +33,14 @@ job "moneycapp-tink-demo" {
       }
 
       env {
+        TINK_CLIENT_ID    = "f168ab67fc2a413a8bd1e9ec62583392"
+        TINK_CLIENT_SECRET = "87f9ef0f49b54a1282f7969b85719f34"
         TINK_REDIRECT_URI = "https://tink-demo.i80.dk/callback"
         APP_BASE_URL      = "https://tink-demo.i80.dk"
+        SESSION_SECRET    = "moneycapp-tink-demo-i80-2026"
         TINK_API_BASE     = "https://api.tink.com"
         TINK_LINK_BASE    = "https://link.tink.com"
-      }
-
-      template {
-        data = <<EOF
-{{ with secret "secret/moneycapp-tink-demo" }}
-TINK_CLIENT_ID={{ .Data.data.client_id }}
-TINK_CLIENT_SECRET={{ .Data.data.client_secret }}
-SESSION_SECRET={{ .Data.data.session_secret }}
-{{ end }}
-EOF
-        destination = "secrets/env"
-        env         = true
+        DEMO_MODE         = "false"
       }
 
       resources {