hacc/haccfiles
8
0
Fork 1
Code Issues 1 Pull requests Projects Releases Wiki Activity
haccfiles/parsons/mattermost-s4f.nix

216 lines
7.3 KiB
Nix
Raw Normal View History

kanidm & mattermost-staging: dirty hacking this doesn't work; kanidm seems to give a different userinfo from what mattermost wants …
2024-03-11 02:04:01 +00:00
{ config, lib, pkgs, evalConfig, ... }:
{
sops.secrets = {
"mattermost-s4f/env" = {};
};
containers.mattermost-staging = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.11";
localAddress = "192.168.100.13";
ephemeral = true;
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/mattermost-s4f";
isReadOnly = false;
};
"/secrets".hostPath = "/run/secrets/mattermost-s4f";
"/cert".hostPath = "/var/lib/acme/kanidm.infra4future.de";
};
path = evalConfig ({ config, lib, pkgs, ... }: {
systemd.services.mattermost.serviceConfig.EnvironmentFile =
lib.mkForce "/secrets/env";
services.mattermost = {
enable = true;
siteUrl = "https://mattermost-staging.infra4future.de";
siteName = "Mattermost for testing";
listenAddress = "0.0.0.0:3000";
mutableConfig = false;
statePath = "/persist/mattermost";
extraConfig = {
ServiceSettings = {
TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
ReadTimeout = 300;
WriteTimeout = 600;
IdleTimeout = 60;
MaximumLoginAttempts = 10;
AllowCorsFrom = "*.infra4future.de/*";
WebserverMode = "gzip";
EnableCustomEmoji = true;
EnableEmojiPicker = true;
EnableGifPicker = false;
RestrictCustomEmojiCreation = "all";
RestrictPostDelete = "all";
AllowEditPost = "always";
PostEditTimeout = -1;
EnableTutorial = false;
ExperimentalChannelSidebarOrganization = "default_on";
ExperimentalChannelOrganization = true;
ExperimentalDataPrefetch = true;
EnableEmailInvitations = true;
DisableLegacyMFA = true;
EnableSVGs = true;
EnableLaTeX = true;
ThreadAutoFollow = true;
EnableSecurityFixAlert = false;
CollapsedThreads = "default_on";
};
TeamSettings = {
EnableTeamCreation = true;
EnableUserCreation = true;
MaxUsersPerTeam = 250;
EnableOpenServer = false;
EnableUserDeactivation = true;
ExperimentalViewArchivedChannels = true;
ExperimentalEnableAutomaticReplies = true;
};
LogSettings = {
EnableConsole = true;
# note: for some reason this doesn't work (mattermost still sets it to DEBUG);
# it's also set in secrets.env, where for some reason it does
ConsoleLevel = "ERROR";
EnableDiagnostics = false;
EnableWebhookDebugging = false;
};
NotificationLogSettings = {
EnableConsole = true;
ConsoleLevel = "INFO";
};
PasswordSettings = {
MinimumLength = 10;
# turn of all the bullshit requirements
Lowercase = false;
Number = false;
Uppercase = false;
Symbol = false;
};
FileSettings = {
EnableFileAttachments = true;
MaxFileSize = 52428800;
DriverName = "local";
Directory = "/persist/mattermost/upload-storage";
EnablePublicLink = true;
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
};
EmailSettings = {
EnableSignUpWithEmail = false;
EnableSignInWithEmail = false;
EnableSignInWithUsername = false;
SendEmailNotifications = true;
FeedbackName = "mattermost";
FeedbackEmail = "mattermost@infra4future.de";
ReplyToAddress = "mattermost@infra4future.de";
FeedbackOrganization = "infra4future.de";
EnableSMTPAuth = true;
SMTPUsername = "noreply@infra4future.de";
SMTPServer = "mail.hacc.space";
SMTPPort = "465";
SMTPServerTimeout = 10;
ConnectionSecurity = "TLS";
};
RateLimitSettings.Enable = false;
PrivacySettings = {
ShowEmailAddress = false;
ShowFullName = true;
};
# to disable the extra landing page advertising the app
NativeAppSettings = {
AppDownloadLink = "";
AndroidAppDownloadLink = "";
IosAppDownloadLink = "";
};
SupportSettings = {
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
AboutLink = "https://infra4future.de";
SupportEmail = "info@infra4future.de";
CustomTermsOfServiceEnabled = false;
EnableAskCommunityLink = true;
};
AnnouncementSettings.EnableBanner = false;
GitLabSettings = {
Enable = true;
Id = "mattermost";
Scope = "users";
AuthEndpoint = "https://kanidm.infra4future.de/ui/oauth2";
TokenEndpoint = "https://kanidm.infra4future.de/oauth2/token";
UserApiEndpoint = "https://kanidm.infra4future.de/oauth2/openid/mattermost/userinfo";
};
# for some reason, these don't appear to be working; the startup
# process complaines and sets these back to en
LocalizationSettings = {
DefaultServerLocale = "de";
DefaultClientLocale = "de";
AvailableLocales = "de,en";
};
MessageExportSettings.EnableExport = false;
ComplianceSettings.Enable = false;
ClusterSettings.Enable = false;
MetricsSettings.Enable = false;
GuestAccountsSettings.Enable = false;
FeatureFlags.CollapsedThreads = true;
};
# eh, why not try it this time
localDatabaseCreate = true;
};
services.postgresqlBackup = {
enable = true;
databases = [ "mattermost" ];
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
services.kanidm = {
enableServer = true;
serverSettings = {
bindaddress = "[::]:4000";
domain = "kanidm.infra4future.de";
origin = "https://kanidm.infra4future.de";
tls_chain = "/cert/fullchain.pem";
tls_key = "/cert/key.pem";
};
};
environment.systemPackages = [ pkgs.kanidm ];
# can't configure db location because of hardening options
# https://github.com/NixOS/nixpkgs/pull/143134/files#r800231100
hacc.bindToPersist = [ "/var/lib/kanidm" ];
services.postgresql.package = pkgs.postgresql;
});
};
services.nginx.virtualHosts."mattermost-staging.infra4future.de" = {
locations."/" = {
proxyPass = "http://${config.containers.mattermost-staging.localAddress}:3000";
proxyWebsockets = true;
extraConfig = ''
# Mattermost CSR Patch
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;
proxy_redirect off;
'';
};
forceSSL = true;
enableACME = true;
};
services.nginx.virtualHosts."kanidm.infra4future.de" = {
locations."/" = {
proxyPass = "https://${config.containers.mattermost-staging.localAddress}:4000";
};
forceSSL = true;
enableACME = true;
};
}
Reference in a new issue Copy permalink