From 285a8e6a8e73dd1e102b5402fba2c76dcf70575a Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Sun, 19 May 2024 23:26:53 +0200
Subject: [PATCH] mattermost: switch to postgresql

this depends on a whole lot of imperative nonsense being done at the
same time, which i have done.

of special interest to anyone attempting to understand this is
 https://docs.mattermost.com/deploy/postgres-migration.html
for the general shape of incompetence at work,
 https://docs.mattermost.com/install/setting-up-socket-based-mattermost-database.html#with-unix-socket
for yet another interesting syntax for database connection strings, and
 https://github.com/dimitri/pgloader/issues/782#issuecomment-502323324
for a truly astonishing take on how to do database migrations, which
unfortunately i have followed.

As far as I can tell, everything has kept working. Downtime was mostly
spent understanding connection string syntax and their horribly buggy
parsers.

Note for people with server access:
 - i have kept the temporary files (including logs) around in
   /persist/migration inside the container should we ever need them
   again
 - there's a zfs snapshot @pre-postgres with the old state
---
 parsons/mattermost.nix | 24 ++++++++++++++++++------
 secrets.yaml           |  6 +++---
 2 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/parsons/mattermost.nix b/parsons/mattermost.nix
index 56883a0..2b32b49 100644
--- a/parsons/mattermost.nix
+++ b/parsons/mattermost.nix
@@ -164,7 +164,8 @@
           MetricsSettings.Enable = false;
           GuestAccountsSettings.Enable = false;
           FeatureFlags.CollapsedThreads = true;
-          SqlSettings.DriverName = "mysql";
+          SqlSettings.DriverName = "postgres";
+          SqlSettings.DataSource = "postgres:///mattermost?host=/run/postgresql";
         };
 
         # turn of the weirder parts of this module (which insist on passwords
@@ -175,15 +176,26 @@
         localDatabaseCreate = false;
       };
 
-      services.mysql = {
-        enable = true;
+      services.postgresql = {
+        enable = lib.mkForce true; # mattermost sets this to false. wtf.
+        package = pkgs.postgresql_15;
         ensureDatabases = [ "mattermost" ];
         ensureUsers = [ {
           name = "mattermost";
-          ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
+          ensureDBOwnership = true;
         } ];
-        package = pkgs.mysql80;
-        dataDir = "/persist/mysql";
+
+        authentication = lib.mkForce ''
+          # Generated file; do not edit!
+          local all all trust
+        '';
+      };
+
+      services.postgresqlBackup = {
+        enable = true;
+        databases = [ "mattermost" ];
+        startAt = "*-*-* 23:45:00";
+        location = "/persist/backups/postgres";
       };
     };
   };
diff --git a/secrets.yaml b/secrets.yaml
index 75263e7..e9e82ca 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -1,7 +1,7 @@
 hedgedoc-hacc:
     env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
 mattermost:
-    env: ENC[AES256_GCM,data:L9GBhCvdHUKlDQ1J3uvEqVziv9yCCISycexyTo/U0Hx8vPVk3TAEOk8zP23XAUsHNEE2L0ibzHBTVAMiXMmFkiuyxlmLqfRemZ3cm4eXMPP8Wks+5d9yFKLYAaQgjpFUEOX5k+FHvN3+ADs/zTBT7LRWIKtga4yr14VfXAzmde2TFZM30Fdoj24EBdgaCjuh4FC9GMmivT/PtCX5s87c3O48EM993llhINVtnYxCLItunBCax/PQX2duVrvYg8FA6ldH6rUOy1fPtWVR8Vs9loSsTnK2AkrRKOzqKxU+lkQENHIGrHWhcl2toPAgeE5on//9tMpZVwYwJrubvAa2luikVEdAnjSQh3Co4bVSECzQTqp6pkm4gzgwagn3rSdbR40=,iv:auCnnA6+35LTW7E/0AWWwjh6Jmq/Y57MjiBKI8aJb9U=,tag:/7fAqyG87CxekN/QVKrLsg==,type:str]
+    env: ENC[AES256_GCM,data:ftWpGl6+sUMzJJKgfcPLvbFGGn16AKUPzPn8X6DNVMLrxZIkQ23Tk3ekKLKFpQEUtQfFjVlrTfFZezWKs4nVNLg2LmQqJNGMCCax5PRwAgoAsJ7pa9ewNmHT+EIXtZEjQgVfN5786Yno5n/6JJ1lz6EiGmdn7/0rF5TLGjzig17azazS1+lkIYY=,iv:SZvGGKpVRI/odHbmgY8M6t6zCk8RgM+7EQEgRiizglA=,tag:cInsVo/QD85m+LxldyRlnA==,type:str]
 tracktrain:
     env: ENC[AES256_GCM,data:W3+8qWomPgGJt5u50aAm9x/dilMpqKY11I2AdaIBTz5posc25ts0LB5S/Sxe1ROz4itpDK3QvjoFUTRhS39k4dwMr5lqXV8Ln4B+sPpvh7oBM8A5zydP8Jj1J1YqRt8++RTUmb4z41DIwb/yaZKMu6z0guXIu1yuYzcbCuk0xe/iOp6UUpfjOzzWTvxY54zY6kWcjHLiCSwD31Cd+MxMPfbUEkHt+0W+sBmYXGeEFI/6ULSB6FnGjNW6F9g=,iv:3ymah8HG+Yg6VYZZA/MRRjHDYvYJz01ezvhfQiftegg=,tag:trht+PRYfKgWJkg2wRwISQ==,type:str]
 vaultwarden:
@@ -100,8 +100,8 @@ sops:
             bndBTXJhQVE2OVlKeGNTbzJlL0duUzAKIWdesesYvBIN/m36fhzxq30+IT8qp/pF
             S6i7QqZF75y2BpEoupRCqNIAsHrouUE+U9ZQJZO8m9J591mWvbVJIw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-08T12:29:13Z"
-    mac: ENC[AES256_GCM,data:Gt1UQy531A9YguKSWzgq2+EKATY2yqE7lCtG9+BYCCB2idMq6bNbKoLn5+kUTv/4y4P/4mgeTdMqdUDrF3nUTqpyyiE0U1I/B9z05iN1Xo5rnEOswX2TvT+br838vw4ueIk/4EmXlRyYRYJi/kTRtBcnYfDjbIYVE0JVkHutjmc=,iv:xsZAJlZCvGWoov1DRx4obt+OQeDMnU+OqCI3/1mzz5c=,tag:+MALy05C1hEUeODC0VcUEg==,type:str]
+    lastmodified: "2024-05-19T21:17:46Z"
+    mac: ENC[AES256_GCM,data:rzxX2fl+EQbhQUcmr6lKoYcUpAb1G3IKjsJJjCrMKN5t4oevI85GtTU3Q+pLrIFLjfkgIV8yiNH4usg0ghtoahQUkrnlZxkOoCktfgM67hRcUniY8UUxY4HqFFK3KzXFqc8Q4vXrerQgJy87Xg+ret9wCQXBbM3AB+B1fsmLE9s=,iv:pm1FakBlOFibps6R5kXMUq+IEl074mEmRIQmdeDxPs4=,tag:hQsV0NZNgDGYjFOK7+SKqg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1