135 lines
4.3 KiB
Nix
135 lines
4.3 KiB
Nix
|
{ config, lib, pkgs, ... }:
|
||
|
|
||
|
{
|
||
|
sops.secrets = {
|
||
|
"s4f-conference/env" = {};
|
||
|
};
|
||
|
|
||
|
hacc.containers.s4f-conference = {
|
||
|
bindSecrets = true;
|
||
|
|
||
|
config = { config, lib, pkgs, ... }: {
|
||
|
systemd.services.mattermost.serviceConfig.EnvironmentFile =
|
||
|
lib.mkForce "/secrets/env";
|
||
|
|
||
|
services.mattermost = {
|
||
|
enable = true;
|
||
|
siteUrl = "https://s4f-conference.infra4future.de";
|
||
|
siteName = "Scientists for Future Chat";
|
||
|
listenAddress = "0.0.0.0:3000";
|
||
|
mutableConfig = false;
|
||
|
|
||
|
statePath = "/persist/mattermost";
|
||
|
|
||
|
extraConfig = {
|
||
|
ServiceSettings = {
|
||
|
TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
|
||
|
EnableEmailInvitations = true;
|
||
|
};
|
||
|
TeamSettings = {
|
||
|
EnableUserCreation = true;
|
||
|
EnableUserDeactivation = true;
|
||
|
EnableOpenServer = false;
|
||
|
};
|
||
|
PasswordSettings = {
|
||
|
MinimumLength = 10;
|
||
|
};
|
||
|
FileSettings = {
|
||
|
EnableFileAttachments = true;
|
||
|
MaxFileSize = 52428800;
|
||
|
DriverName = "local";
|
||
|
Directory = "/persist/upload-storage";
|
||
|
EnablePublicLink = true;
|
||
|
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
|
||
|
};
|
||
|
EmailSettings = {
|
||
|
EnableSignUpWithEmail = true;
|
||
|
EnableSignInWithEmail = true;
|
||
|
EnableSignInWithUsername = true;
|
||
|
SendEmailNotifications = true;
|
||
|
FeedbackName = "mattermost";
|
||
|
FeedbackEmail = "mattermost@infra4future.de";
|
||
|
ReplyToAddress = "mattermost@infra4future.de";
|
||
|
FeedbackOrganization = "∆infra4future.de";
|
||
|
EnableSMTPAuth = true;
|
||
|
SMTPUsername = "noreply@infra4future.de";
|
||
|
SMTPServer = "mail.hacc.space";
|
||
|
SMTPPort = "465";
|
||
|
SMTPServerTimeout = 10;
|
||
|
ConnectionSecurity = "TLS";
|
||
|
};
|
||
|
RateLimitSettings.Enable = false;
|
||
|
PrivacySettings = {
|
||
|
ShowEmailAddress = false;
|
||
|
ShowFullName = true;
|
||
|
};
|
||
|
# to disable the extra landing page advertising the app
|
||
|
NativeAppSettings = {
|
||
|
AppDownloadLink = "";
|
||
|
AndroidAppDownloadLink = "";
|
||
|
IosAppDownloadLink = "";
|
||
|
};
|
||
|
LogSettings = {
|
||
|
EnableConsole = true;
|
||
|
ConsoleLevel = "ERROR";
|
||
|
EnableDiagnostics = false;
|
||
|
EnableWebhookDebugging = false;
|
||
|
};
|
||
|
SupportSettings = {
|
||
|
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||
|
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||
|
AboutLink = "https://infra4future.de";
|
||
|
SupportEmail = "info@infra4future.de";
|
||
|
CustomTermsOfServiceEnabled = false;
|
||
|
EnableAskCommunityLink = true;
|
||
|
};
|
||
|
AnnouncementSettings.EnableBanner = false;
|
||
|
ComplianceSettings.Enable = false;
|
||
|
ClusterSettings.Enable = false;
|
||
|
MetricsSettings.Enable = false;
|
||
|
GuestAccountsSettings.Enable = true;
|
||
|
};
|
||
|
|
||
|
localDatabaseCreate = false;
|
||
|
};
|
||
|
|
||
|
services.postgresql = {
|
||
|
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
||
|
package = pkgs.postgresql_15;
|
||
|
ensureDatabases = [ "mattermost" ];
|
||
|
ensureUsers = [ {
|
||
|
name = "mattermost";
|
||
|
ensureDBOwnership = true;
|
||
|
} ];
|
||
|
|
||
|
authentication = lib.mkForce ''
|
||
|
# Generated file; do not edit!
|
||
|
local all all trust
|
||
|
host mattermost mattermost ::1/128 trust
|
||
|
'';
|
||
|
};
|
||
|
services.postgresqlBackup = {
|
||
|
enable = true;
|
||
|
databases = [ "mattermost" ];
|
||
|
startAt = "*-*-* 23:45:00";
|
||
|
location = "/persist/backups/postgres";
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
|
||
|
services.nginx.virtualHosts."s4f-conference.infra4future.de" = {
|
||
|
locations."/" = {
|
||
|
proxyPass = "http://${config.containers.s4f-conference.localAddress}:3000";
|
||
|
proxyWebsockets = true;
|
||
|
extraConfig = ''
|
||
|
# Mattermost CSR Patch
|
||
|
proxy_hide_header Content-Security-Policy;
|
||
|
proxy_hide_header X-Frame-Options;
|
||
|
proxy_redirect off;
|
||
|
'';
|
||
|
};
|
||
|
forceSSL = true;
|
||
|
enableACME = true;
|
||
|
};
|
||
|
}
|