From 52f9f2d64c6aad0104c1801299a7c2c5f985c670 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Sat, 15 Oct 2022 20:10:29 +0200 Subject: [PATCH] get rid of mattermost-patched module this does a couple things: - redo mattermost's secret config as an env file passed to systemd - get rid of modules/mattermost.nix and use upstream module instead - move some of the stuff in secret.json which don't need to be there into nix (e.g. smtp port) Also, I set the log level to ERROR in the env file. Mattermost doesn't seem to respect it otherwise *shrug* --- modules/mattermost.nix | 251 ---------------------------------------- services/mattermost.nix | 12 +- 2 files changed, 9 insertions(+), 254 deletions(-) delete mode 100644 modules/mattermost.nix diff --git a/modules/mattermost.nix b/modules/mattermost.nix deleted file mode 100644 index 122abce..0000000 --- a/modules/mattermost.nix +++ /dev/null @@ -1,251 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - - cfg = config.services.mattermost-patched; - - database = "postgres://${cfg.localDatabaseUser}:${cfg.localDatabasePassword}@localhost:5432/${cfg.localDatabaseName}?sslmode=disable&connect_timeout=10"; - - mattermostConf = foldl recursiveUpdate {} - [ { ServiceSettings.SiteURL = cfg.siteUrl; - ServiceSettings.ListenAddress = cfg.listenAddress; - TeamSettings.SiteName = cfg.siteName; - } - cfg.extraConfig - ]; - - mattermostConfJSON = pkgs.writeText "mattermost-config-raw.json" (builtins.toJSON mattermostConf); - -in - -{ - options = { - services.mattermost-patched = { - enable = mkEnableOption "Mattermost chat server"; - - statePath = mkOption { - type = types.str; - default = "/var/lib/mattermost"; - description = "Mattermost working directory"; - }; - - siteUrl = mkOption { - type = types.str; - example = "https://chat.example.com"; - description = '' - URL this Mattermost instance is reachable under, without trailing slash. - ''; - }; - - siteName = mkOption { - type = types.str; - default = "Mattermost"; - description = "Name of this Mattermost site."; - }; - - listenAddress = mkOption { - type = types.str; - default = ":8065"; - example = "[::1]:8065"; - description = '' - Address and port this Mattermost instance listens to. - ''; - }; - - mutableConfig = mkOption { - type = types.bool; - default = false; - description = '' - Whether the Mattermost config.json is writeable by Mattermost. - - Most of the settings can be edited in the system console of - Mattermost if this option is enabled. A template config using - the options specified in services.mattermost will be generated - but won't be overwritten on changes or rebuilds. - - If this option is disabled, changes in the system console won't - be possible (default). If an config.json is present, it will be - overwritten! - ''; - }; - - extraConfig = mkOption { - type = types.attrs; - default = { }; - description = '' - Addtional configuration options as Nix attribute set in config.json schema. - ''; - }; - - secretConfig = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Path to a json file containing secret config values, which should - not be written into the Nix store. If it is not null (the default) - and mutableConfig is set to false, then the mattermost service will - join the file at this path into its config. - - Note that this file cannot be used to overwrite values already - specified by the other options of this module. - ''; - }; - - localDatabaseCreate = mkOption { - type = types.bool; - default = true; - description = '' - Create a local PostgreSQL database for Mattermost automatically. - ''; - }; - - localDatabaseName = mkOption { - type = types.str; - default = "mattermost"; - description = '' - Local Mattermost database name. - ''; - }; - - localDatabaseUser = mkOption { - type = types.str; - default = "mattermost"; - description = '' - Local Mattermost database username. - ''; - }; - - localDatabasePassword = mkOption { - type = types.str; - default = "mmpgsecret"; - description = '' - Password for local Mattermost database user. - ''; - }; - - user = mkOption { - type = types.str; - default = "mattermost"; - description = '' - User which runs the Mattermost service. - ''; - }; - - group = mkOption { - type = types.str; - default = "mattermost"; - description = '' - Group which runs the Mattermost service. - ''; - }; - - matterircd = { - enable = mkEnableOption "Mattermost IRC bridge"; - parameters = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "-mmserver chat.example.com" "-bind [::]:6667" ]; - description = '' - Set commandline parameters to pass to matterircd. See - https://github.com/42wim/matterircd#usage for more information. - ''; - }; - }; - }; - }; - - config = mkMerge [ - (mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == "mattermost") { - mattermost = { - group = cfg.group; - uid = config.ids.uids.mattermost; - home = cfg.statePath; - }; - }; - - users.groups = optionalAttrs (cfg.group == "mattermost") { - mattermost.gid = config.ids.gids.mattermost; - }; - - services.postgresql.enable = cfg.localDatabaseCreate; - - # The systemd service will fail to execute the preStart hook - # if the WorkingDirectory does not exist - system.activationScripts.mattermost = '' - mkdir -p ${cfg.statePath} - ''; - - systemd.services.mattermost = { - description = "Mattermost chat service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "postgresql.service" ]; - - preStart = '' - mkdir -p ${cfg.statePath}/{data,config,logs} - ln -sf ${pkgs.mattermost}/{bin,fonts,i18n,templates,client} ${cfg.statePath} - '' + lib.optionalString (!cfg.mutableConfig) '' - rm -f ${cfg.statePath}/config/config.json - '' + (if cfg.secretConfig == null - then '' - cp ${mattermostConfJSON} ${cfg.statePath}/config/config.json - '' - else '' - ${pkgs.jq}/bin/jq -s ".[1] * .[0]" ${cfg.secretConfig} ${mattermostConfJSON} > ${cfg.statePath}/config/config.json - '') - + '' - ${pkgs.mattermost}/bin/mattermost config migrate ${cfg.statePath}/config/config.json ${database} - '' + lib.optionalString cfg.mutableConfig '' - if ! test -e "${cfg.statePath}/config/.initial-created"; then - rm -f ${cfg.statePath}/config/config.json - cp ${mattermostConfJSON} ${cfg.statePath}/config/config.json - touch ${cfg.statePath}/config/.initial-created - fi - '' + lib.optionalString cfg.localDatabaseCreate '' - if ! test -e "${cfg.statePath}/.db-created"; then - ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} \ - ${config.services.postgresql.package}/bin/psql postgres -c \ - "CREATE ROLE ${cfg.localDatabaseUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${cfg.localDatabasePassword}'" - ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} \ - ${config.services.postgresql.package}/bin/createdb \ - --owner ${cfg.localDatabaseUser} ${cfg.localDatabaseName} - touch ${cfg.statePath}/.db-created - fi - '' + '' - chown ${cfg.user}:${cfg.group} -R ${cfg.statePath} - chmod u+rw,g+r,o-rwx -R ${cfg.statePath} - ''; - - serviceConfig = { - PermissionsStartOnly = true; - User = cfg.user; - Group = cfg.group; - ExecStart = "${pkgs.mattermost}/bin/mattermost" + - (if cfg.mutableConfig then " -c ${database}" else " -c ${cfg.statePath}/config/config.json"); - WorkingDirectory = "${cfg.statePath}"; - Restart = "always"; - RestartSec = "10"; - LimitNOFILE = "49152"; - }; - unitConfig.JoinsNamespaceOf = mkIf cfg.localDatabaseCreate "postgresql.service"; - }; - }) - (mkIf cfg.matterircd.enable { - systemd.services.matterircd = { - description = "Mattermost IRC bridge service"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "nobody"; - Group = "nogroup"; - ExecStart = "${pkgs.matterircd}/bin/matterircd ${concatStringsSep " " cfg.matterircd.parameters}"; - WorkingDirectory = "/tmp"; - PrivateTmp = true; - Restart = "always"; - RestartSec = "5"; - }; - }; - }) - ]; -} diff --git a/services/mattermost.nix b/services/mattermost.nix index debc1a2..b70d234 100644 --- a/services/mattermost.nix +++ b/services/mattermost.nix @@ -22,7 +22,6 @@ in { users.users.root.hashedPassword = ""; imports = [ - ../modules/mattermost.nix ((import sources.nix-hexchen) {}).profiles.nopersist ]; @@ -35,16 +34,18 @@ in { interface = "eth0"; }; + systemd.services.mattermost.serviceConfig.EnvironmentFile = + "/persist/mattermost/secrets.env"; + # couldn't figure out how to actually overwrite modules, so now # there's two mattermost modules ... - services.mattermost-patched = { + services.mattermost = { enable = true; siteUrl = "https://mattermost.infra4future.de"; siteName = "Mattermost for Future"; listenAddress = "0.0.0.0:3000"; mutableConfig = false; - secretConfig = "/persist/mattermost/secrets.json"; statePath = "/persist/mattermost"; extraConfig = { @@ -86,6 +87,8 @@ in { }; LogSettings = { EnableConsole = true; + # note: for some reason this doesn't work (mattermost still sets it to DEBUG); + # it's also set in secrets.env, where for some reason it does ConsoleLevel = "ERROR"; EnableDiagnostics = false; EnableWebhookDebugging = false; @@ -122,6 +125,9 @@ in { EnableSMTPAuth = true; SMTPUsername = "noreply@infra4future.de"; SMTPServer = "mail.hacc.space"; + SMTPPort = 465; + SMTPServerTimeout = 10; + ConnectionSecurity = "TLS"; }; RateLimitSettings.Enable = false; PrivacySettings = {