kanidm & mattermost-staging: dirty hacking

this doesn't work; kanidm seems to give a different userinfo from what
mattermost wants …

parsons/configuration.nix

@@ -19,6 +19,7 @@
     ./tracktrain.nix
     ./uffd.nix
     ./lxc.nix
+    ./mattermost-s4f.nix
   ];
 
   hacc.bindToPersist = [ "/var/lib/acme" ];

parsons/mattermost-s4f.nix

@@ -0,0 +1,215 @@
+{ config, lib, pkgs, evalConfig, ... }:
+
+{
+  sops.secrets = {
+    "mattermost-s4f/env" = {};
+  };
+
+  containers.mattermost-staging = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.100.11";
+    localAddress = "192.168.100.13";
+    ephemeral = true;
+
+    bindMounts = {
+      "/persist" = {
+        hostPath = "/persist/containers/mattermost-s4f";
+        isReadOnly = false;
+      };
+      "/secrets".hostPath = "/run/secrets/mattermost-s4f";
+      "/cert".hostPath = "/var/lib/acme/kanidm.infra4future.de";
+    };
+
+    path = evalConfig ({ config, lib, pkgs, ... }: {
+      systemd.services.mattermost.serviceConfig.EnvironmentFile =
+        lib.mkForce "/secrets/env";
+
+      services.mattermost = {
+        enable = true;
+        siteUrl = "https://mattermost-staging.infra4future.de";
+        siteName = "Mattermost for testing";
+        listenAddress = "0.0.0.0:3000";
+        mutableConfig = false;
+
+        statePath = "/persist/mattermost";
+
+        extraConfig = {
+          ServiceSettings = {
+            TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
+            ReadTimeout = 300;
+            WriteTimeout = 600;
+            IdleTimeout = 60;
+            MaximumLoginAttempts = 10;
+            AllowCorsFrom = "*.infra4future.de/*";
+            WebserverMode = "gzip";
+            EnableCustomEmoji = true;
+            EnableEmojiPicker = true;
+            EnableGifPicker = false;
+            RestrictCustomEmojiCreation = "all";
+            RestrictPostDelete = "all";
+            AllowEditPost = "always";
+            PostEditTimeout = -1;
+            EnableTutorial = false;
+            ExperimentalChannelSidebarOrganization = "default_on";
+            ExperimentalChannelOrganization = true;
+            ExperimentalDataPrefetch = true;
+            EnableEmailInvitations = true;
+            DisableLegacyMFA = true;
+            EnableSVGs = true;
+            EnableLaTeX = true;
+            ThreadAutoFollow = true;
+            EnableSecurityFixAlert = false;
+            CollapsedThreads = "default_on";
+          };
+          TeamSettings = {
+            EnableTeamCreation = true;
+            EnableUserCreation = true;
+            MaxUsersPerTeam = 250;
+            EnableOpenServer = false;
+            EnableUserDeactivation = true;
+            ExperimentalViewArchivedChannels = true;
+            ExperimentalEnableAutomaticReplies = true;
+          };
+          LogSettings = {
+            EnableConsole = true;
+            # note: for some reason this doesn't work (mattermost still sets it to DEBUG);
+            # it's also set in secrets.env, where for some reason it does
+            ConsoleLevel = "ERROR";
+            EnableDiagnostics = false;
+            EnableWebhookDebugging = false;
+          };
+          NotificationLogSettings = {
+            EnableConsole = true;
+            ConsoleLevel = "INFO";
+          };
+          PasswordSettings = {
+            MinimumLength = 10;
+            # turn of all the bullshit requirements
+            Lowercase = false;
+            Number = false;
+            Uppercase = false;
+            Symbol = false;
+          };
+          FileSettings = {
+            EnableFileAttachments = true;
+            MaxFileSize = 52428800;
+            DriverName = "local";
+            Directory = "/persist/mattermost/upload-storage";
+            EnablePublicLink = true;
+            PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
+          };
+          EmailSettings = {
+            EnableSignUpWithEmail = false;
+            EnableSignInWithEmail = false;
+            EnableSignInWithUsername = false;
+            SendEmailNotifications = true;
+            FeedbackName = "mattermost";
+            FeedbackEmail = "mattermost@infra4future.de";
+            ReplyToAddress = "mattermost@infra4future.de";
+            FeedbackOrganization = "∆infra4future.de";
+            EnableSMTPAuth = true;
+            SMTPUsername = "noreply@infra4future.de";
+            SMTPServer = "mail.hacc.space";
+            SMTPPort = "465";
+            SMTPServerTimeout = 10;
+            ConnectionSecurity = "TLS";
+          };
+          RateLimitSettings.Enable = false;
+          PrivacySettings = {
+            ShowEmailAddress = false;
+            ShowFullName = true;
+          };
+          # to disable the extra landing page advertising the app
+          NativeAppSettings = {
+            AppDownloadLink = "";
+            AndroidAppDownloadLink = "";
+            IosAppDownloadLink = "";
+          };
+          SupportSettings = {
+            TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
+            PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
+            AboutLink = "https://infra4future.de";
+            SupportEmail = "info@infra4future.de";
+            CustomTermsOfServiceEnabled = false;
+            EnableAskCommunityLink = true;
+          };
+          AnnouncementSettings.EnableBanner = false;
+          GitLabSettings = {
+            Enable = true;
+            Id = "mattermost";
+            Scope = "users";
+            AuthEndpoint = "https://kanidm.infra4future.de/ui/oauth2";
+            TokenEndpoint = "https://kanidm.infra4future.de/oauth2/token";
+            UserApiEndpoint = "https://kanidm.infra4future.de/oauth2/openid/mattermost/userinfo";
+          };
+          # for some reason, these don't appear to be working; the startup
+          # process complaines and sets these back to en
+          LocalizationSettings = {
+            DefaultServerLocale = "de";
+            DefaultClientLocale = "de";
+            AvailableLocales = "de,en";
+          };
+          MessageExportSettings.EnableExport = false;
+          ComplianceSettings.Enable = false;
+          ClusterSettings.Enable = false;
+          MetricsSettings.Enable = false;
+          GuestAccountsSettings.Enable = false;
+          FeatureFlags.CollapsedThreads = true;
+        };
+
+        # eh, why not try it this time
+        localDatabaseCreate = true;
+      };
+      services.postgresqlBackup = {
+        enable = true;
+        databases = [ "mattermost" ];
+        startAt = "*-*-* 23:45:00";
+        location = "/persist/backups/postgres";
+      };
+
+      services.kanidm = {
+        enableServer = true;
+        serverSettings = {
+          bindaddress = "[::]:4000";
+          domain = "kanidm.infra4future.de";
+          origin = "https://kanidm.infra4future.de";
+          tls_chain = "/cert/fullchain.pem";
+          tls_key = "/cert/key.pem";
+        };
+      };
+
+      environment.systemPackages = [ pkgs.kanidm ];
+
+      # can't configure db location because of hardening options
+      # https://github.com/NixOS/nixpkgs/pull/143134/files#r800231100
+      hacc.bindToPersist = [ "/var/lib/kanidm" ];
+
+      services.postgresql.package = pkgs.postgresql;
+    });
+  };
+
+  services.nginx.virtualHosts."mattermost-staging.infra4future.de" = {
+    locations."/" = {
+      proxyPass = "http://${config.containers.mattermost-staging.localAddress}:3000";
+      proxyWebsockets = true;
+      extraConfig = ''
+        # Mattermost CSR Patch
+        proxy_hide_header Content-Security-Policy;
+        proxy_hide_header X-Frame-Options;
+        proxy_redirect off;
+      '';
+    };
+    forceSSL = true;
+    enableACME = true;
+  };
+  services.nginx.virtualHosts."kanidm.infra4future.de" = {
+    locations."/" = {
+      proxyPass = "https://${config.containers.mattermost-staging.localAddress}:4000";
+
+    };
+    forceSSL = true;
+    enableACME = true;
+  };
+
+}

pkgs/default.nix

@@ -21,6 +21,8 @@ let
     uffd = oldstable.callPackage ./uffd { };
 
     inherit (oldstable) uwsgi flask;
+
+    inherit (unstable) kanidm;
   };
 
 in pkgs.extend(_: _: newpkgs)

secrets.yaml

@@ -2,6 +2,8 @@ hedgedoc-hacc:
     env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
 mattermost:
     env: ENC[AES256_GCM,data:4GcV8UOYmVUjZoYc0Nq/vEWtxtYNV81zVTEyFnZIfY1k/Ar1MU+fn5A99JLIMc8U84/QupDU7TcneiN/wqPv2jYqGS7ixSNTk+x5uUPMarzKZ04ynav6FCWEvlSF0Sz4/5s/Pvp1Qi3zdv16ZVGUHbM8/wCcaZBkSS0ofwBTIXVsVYSRPFxLehtBgwjAnD46qS+YJmszmd7V5N/adWWF34vAdfLiO6Y7KDB3jnMLOPU6Drtw9L83AW6NuOtk8crZrI1dkTD/xUC07IvMhZpZVc9ktQJqIvlk/ADs5aIp/QYrjICdYvb8xC16oV7jC/7yzXzC/UuYbCvS5gnHGMK/CsBkmM9HXmQ6mWjrfuOJEkMHSefS7O8HyrNoNDSXq0ivCr6KJmwrz7NXNAE6a6xx9LMjs5DJ8H5fda1l5TGVAdA2tg==,iv:dG4cnEtUgUxw7zS2k15p+6//Bl19WquTfFIiz5Vi/0M=,tag:cMBU8CtFBBjfcfpO709Kpg==,type:str]
+mattermost-s4f:
+    env: ENC[AES256_GCM,data:QFS3D/KXIZy9NJ7cocGKXRCvFLHIaLysnLr3OKWU4VoqRX/yykxGbVTOaC/li0s1bsbnm46xKKWzvnrZjMxj+xjItlpNcII4+Z0=,iv:Qj6+AFG/+HpTB8zBXcQF3PdfLo+ZybTRFCGIMpK3Tuw=,tag:BK7FaXUoWcEcttVE6crNhg==,type:str]
 tracktrain:
     env: ENC[AES256_GCM,data:jaq039FNxBrsPfG/q+InYpiyl1LBdY++DlLM6UpSAwKlINucooTrHz51QrdRWhAZDqXhVTHM55Q/Zm4wazweCABiNjkXDFoZgxc5YJX+pvBct6M533xl109yD6KiYOXDqPY03u71aop8OmOAnKDp1JlzPS1otdlaN8Vd56G+,iv:nYU2rgMMG4QcJo5DnZpYZm1zr82idd7r1uTsqNiXLdA=,tag:9rdxAneYUREacXNunpTuHw==,type:str]
 vaultwarden:
@@ -98,8 +100,8 @@ sops:
             bndBTXJhQVE2OVlKeGNTbzJlL0duUzAKIWdesesYvBIN/m36fhzxq30+IT8qp/pF
             S6i7QqZF75y2BpEoupRCqNIAsHrouUE+U9ZQJZO8m9J591mWvbVJIw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-28T14:09:53Z"
-    mac: ENC[AES256_GCM,data:d0DlofJdafS2t0FLd+3wb8XC6GIhGqHjT0kc6th2axirYCiFX22okD0MCWhDT2+T8NRe0c4wLOKuS1EOgmjZYjGIVZ2Hhf/at00VMkPM2koemCpR0zLSfrBGrcY8VkBQ2s5UgU2L9O7nD0KBdPoruRo0MRbcwrCzOX+sBk24yaQ=,iv:V5C1wK9zeMcT6E9sZSUtofNpToKi5xkiG/HesozOE5c=,tag:XihqjZnOB7G3gi2FpJHpJg==,type:str]
+    lastmodified: "2024-03-11T00:55:56Z"
+    mac: ENC[AES256_GCM,data:JccZYv1R0dxH64o7imEcL+/lat1GpipChoOVpRhcQsjNteEkmhp8lzLto1+P7kQNiKtutsfNedLKw/THQMDk3MuTneOPO93PeQwzwBLqM3lDLVecIndUV9ARZ1B1W/687aUMbPGMYWODbe3loQMNrtT0WoPp8otWjUSfp0/W31E=,iv:UqFxIeGH3xXMdK9LJHyiQmC1AtiLfX+CAMBKfAhEBMg=,tag:9wBmdUaJOykcyFnxkFvJGw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1