diff --git a/parsons/configuration.nix b/parsons/configuration.nix index c6fe455..61833c7 100644 --- a/parsons/configuration.nix +++ b/parsons/configuration.nix @@ -19,6 +19,7 @@ ./tracktrain.nix ./uffd.nix ./lxc.nix + ./mattermost-s4f.nix ]; hacc.bindToPersist = [ "/var/lib/acme" ]; diff --git a/parsons/mattermost-s4f.nix b/parsons/mattermost-s4f.nix new file mode 100644 index 0000000..1155505 --- /dev/null +++ b/parsons/mattermost-s4f.nix @@ -0,0 +1,215 @@ +{ config, lib, pkgs, evalConfig, ... }: + +{ + sops.secrets = { + "mattermost-s4f/env" = {}; + }; + + containers.mattermost-staging = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.11"; + localAddress = "192.168.100.13"; + ephemeral = true; + + bindMounts = { + "/persist" = { + hostPath = "/persist/containers/mattermost-s4f"; + isReadOnly = false; + }; + "/secrets".hostPath = "/run/secrets/mattermost-s4f"; + "/cert".hostPath = "/var/lib/acme/kanidm.infra4future.de"; + }; + + path = evalConfig ({ config, lib, pkgs, ... }: { + systemd.services.mattermost.serviceConfig.EnvironmentFile = + lib.mkForce "/secrets/env"; + + services.mattermost = { + enable = true; + siteUrl = "https://mattermost-staging.infra4future.de"; + siteName = "Mattermost for testing"; + listenAddress = "0.0.0.0:3000"; + mutableConfig = false; + + statePath = "/persist/mattermost"; + + extraConfig = { + ServiceSettings = { + TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ]; + ReadTimeout = 300; + WriteTimeout = 600; + IdleTimeout = 60; + MaximumLoginAttempts = 10; + AllowCorsFrom = "*.infra4future.de/*"; + WebserverMode = "gzip"; + EnableCustomEmoji = true; + EnableEmojiPicker = true; + EnableGifPicker = false; + RestrictCustomEmojiCreation = "all"; + RestrictPostDelete = "all"; + AllowEditPost = "always"; + PostEditTimeout = -1; + EnableTutorial = false; + ExperimentalChannelSidebarOrganization = "default_on"; + ExperimentalChannelOrganization = true; + ExperimentalDataPrefetch = true; + EnableEmailInvitations = true; + DisableLegacyMFA = true; + EnableSVGs = true; + EnableLaTeX = true; + ThreadAutoFollow = true; + EnableSecurityFixAlert = false; + CollapsedThreads = "default_on"; + }; + TeamSettings = { + EnableTeamCreation = true; + EnableUserCreation = true; + MaxUsersPerTeam = 250; + EnableOpenServer = false; + EnableUserDeactivation = true; + ExperimentalViewArchivedChannels = true; + ExperimentalEnableAutomaticReplies = true; + }; + LogSettings = { + EnableConsole = true; + # note: for some reason this doesn't work (mattermost still sets it to DEBUG); + # it's also set in secrets.env, where for some reason it does + ConsoleLevel = "ERROR"; + EnableDiagnostics = false; + EnableWebhookDebugging = false; + }; + NotificationLogSettings = { + EnableConsole = true; + ConsoleLevel = "INFO"; + }; + PasswordSettings = { + MinimumLength = 10; + # turn of all the bullshit requirements + Lowercase = false; + Number = false; + Uppercase = false; + Symbol = false; + }; + FileSettings = { + EnableFileAttachments = true; + MaxFileSize = 52428800; + DriverName = "local"; + Directory = "/persist/mattermost/upload-storage"; + EnablePublicLink = true; + PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu"; + }; + EmailSettings = { + EnableSignUpWithEmail = false; + EnableSignInWithEmail = false; + EnableSignInWithUsername = false; + SendEmailNotifications = true; + FeedbackName = "mattermost"; + FeedbackEmail = "mattermost@infra4future.de"; + ReplyToAddress = "mattermost@infra4future.de"; + FeedbackOrganization = "∆infra4future.de"; + EnableSMTPAuth = true; + SMTPUsername = "noreply@infra4future.de"; + SMTPServer = "mail.hacc.space"; + SMTPPort = "465"; + SMTPServerTimeout = 10; + ConnectionSecurity = "TLS"; + }; + RateLimitSettings.Enable = false; + PrivacySettings = { + ShowEmailAddress = false; + ShowFullName = true; + }; + # to disable the extra landing page advertising the app + NativeAppSettings = { + AppDownloadLink = ""; + AndroidAppDownloadLink = ""; + IosAppDownloadLink = ""; + }; + SupportSettings = { + TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html"; + PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html"; + AboutLink = "https://infra4future.de"; + SupportEmail = "info@infra4future.de"; + CustomTermsOfServiceEnabled = false; + EnableAskCommunityLink = true; + }; + AnnouncementSettings.EnableBanner = false; + GitLabSettings = { + Enable = true; + Id = "mattermost"; + Scope = "users"; + AuthEndpoint = "https://kanidm.infra4future.de/ui/oauth2"; + TokenEndpoint = "https://kanidm.infra4future.de/oauth2/token"; + UserApiEndpoint = "https://kanidm.infra4future.de/oauth2/openid/mattermost/userinfo"; + }; + # for some reason, these don't appear to be working; the startup + # process complaines and sets these back to en + LocalizationSettings = { + DefaultServerLocale = "de"; + DefaultClientLocale = "de"; + AvailableLocales = "de,en"; + }; + MessageExportSettings.EnableExport = false; + ComplianceSettings.Enable = false; + ClusterSettings.Enable = false; + MetricsSettings.Enable = false; + GuestAccountsSettings.Enable = false; + FeatureFlags.CollapsedThreads = true; + }; + + # eh, why not try it this time + localDatabaseCreate = true; + }; + services.postgresqlBackup = { + enable = true; + databases = [ "mattermost" ]; + startAt = "*-*-* 23:45:00"; + location = "/persist/backups/postgres"; + }; + + services.kanidm = { + enableServer = true; + serverSettings = { + bindaddress = "[::]:4000"; + domain = "kanidm.infra4future.de"; + origin = "https://kanidm.infra4future.de"; + tls_chain = "/cert/fullchain.pem"; + tls_key = "/cert/key.pem"; + }; + }; + + environment.systemPackages = [ pkgs.kanidm ]; + + # can't configure db location because of hardening options + # https://github.com/NixOS/nixpkgs/pull/143134/files#r800231100 + hacc.bindToPersist = [ "/var/lib/kanidm" ]; + + services.postgresql.package = pkgs.postgresql; + }); + }; + + services.nginx.virtualHosts."mattermost-staging.infra4future.de" = { + locations."/" = { + proxyPass = "http://${config.containers.mattermost-staging.localAddress}:3000"; + proxyWebsockets = true; + extraConfig = '' + # Mattermost CSR Patch + proxy_hide_header Content-Security-Policy; + proxy_hide_header X-Frame-Options; + proxy_redirect off; + ''; + }; + forceSSL = true; + enableACME = true; + }; + services.nginx.virtualHosts."kanidm.infra4future.de" = { + locations."/" = { + proxyPass = "https://${config.containers.mattermost-staging.localAddress}:4000"; + + }; + forceSSL = true; + enableACME = true; + }; + +} diff --git a/pkgs/default.nix b/pkgs/default.nix index cec7f43..a61ca5a 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -21,6 +21,8 @@ let uffd = oldstable.callPackage ./uffd { }; inherit (oldstable) uwsgi flask; + + inherit (unstable) kanidm; }; in pkgs.extend(_: _: newpkgs) diff --git a/secrets.yaml b/secrets.yaml index 67a6e43..b2dfeda 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -2,6 +2,8 @@ hedgedoc-hacc: env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str] mattermost: env: ENC[AES256_GCM,data:4GcV8UOYmVUjZoYc0Nq/vEWtxtYNV81zVTEyFnZIfY1k/Ar1MU+fn5A99JLIMc8U84/QupDU7TcneiN/wqPv2jYqGS7ixSNTk+x5uUPMarzKZ04ynav6FCWEvlSF0Sz4/5s/Pvp1Qi3zdv16ZVGUHbM8/wCcaZBkSS0ofwBTIXVsVYSRPFxLehtBgwjAnD46qS+YJmszmd7V5N/adWWF34vAdfLiO6Y7KDB3jnMLOPU6Drtw9L83AW6NuOtk8crZrI1dkTD/xUC07IvMhZpZVc9ktQJqIvlk/ADs5aIp/QYrjICdYvb8xC16oV7jC/7yzXzC/UuYbCvS5gnHGMK/CsBkmM9HXmQ6mWjrfuOJEkMHSefS7O8HyrNoNDSXq0ivCr6KJmwrz7NXNAE6a6xx9LMjs5DJ8H5fda1l5TGVAdA2tg==,iv:dG4cnEtUgUxw7zS2k15p+6//Bl19WquTfFIiz5Vi/0M=,tag:cMBU8CtFBBjfcfpO709Kpg==,type:str] +mattermost-s4f: + env: ENC[AES256_GCM,data:QFS3D/KXIZy9NJ7cocGKXRCvFLHIaLysnLr3OKWU4VoqRX/yykxGbVTOaC/li0s1bsbnm46xKKWzvnrZjMxj+xjItlpNcII4+Z0=,iv:Qj6+AFG/+HpTB8zBXcQF3PdfLo+ZybTRFCGIMpK3Tuw=,tag:BK7FaXUoWcEcttVE6crNhg==,type:str] tracktrain: env: ENC[AES256_GCM,data:jaq039FNxBrsPfG/q+InYpiyl1LBdY++DlLM6UpSAwKlINucooTrHz51QrdRWhAZDqXhVTHM55Q/Zm4wazweCABiNjkXDFoZgxc5YJX+pvBct6M533xl109yD6KiYOXDqPY03u71aop8OmOAnKDp1JlzPS1otdlaN8Vd56G+,iv:nYU2rgMMG4QcJo5DnZpYZm1zr82idd7r1uTsqNiXLdA=,tag:9rdxAneYUREacXNunpTuHw==,type:str] vaultwarden: @@ -98,8 +100,8 @@ sops: bndBTXJhQVE2OVlKeGNTbzJlL0duUzAKIWdesesYvBIN/m36fhzxq30+IT8qp/pF S6i7QqZF75y2BpEoupRCqNIAsHrouUE+U9ZQJZO8m9J591mWvbVJIw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-28T14:09:53Z" - mac: ENC[AES256_GCM,data:d0DlofJdafS2t0FLd+3wb8XC6GIhGqHjT0kc6th2axirYCiFX22okD0MCWhDT2+T8NRe0c4wLOKuS1EOgmjZYjGIVZ2Hhf/at00VMkPM2koemCpR0zLSfrBGrcY8VkBQ2s5UgU2L9O7nD0KBdPoruRo0MRbcwrCzOX+sBk24yaQ=,iv:V5C1wK9zeMcT6E9sZSUtofNpToKi5xkiG/HesozOE5c=,tag:XihqjZnOB7G3gi2FpJHpJg==,type:str] + lastmodified: "2024-03-11T00:55:56Z" + mac: ENC[AES256_GCM,data:JccZYv1R0dxH64o7imEcL+/lat1GpipChoOVpRhcQsjNteEkmhp8lzLto1+P7kQNiKtutsfNedLKw/THQMDk3MuTneOPO93PeQwzwBLqM3lDLVecIndUV9ARZ1B1W/687aUMbPGMYWODbe3loQMNrtT0WoPp8otWjUSfp0/W31E=,iv:UqFxIeGH3xXMdK9LJHyiQmC1AtiLfX+CAMBKfAhEBMg=,tag:9wBmdUaJOykcyFnxkFvJGw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1