services/mattermost: init on parsons
This commit is contained in:
parent
1c65805589
commit
b23582a52f
4 changed files with 253 additions and 13 deletions
|
@ -2,13 +2,14 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
../../common
|
../../common
|
||||||
./hardware.nix
|
./hardware.nix
|
||||||
modules.encboot
|
modules.encboot
|
||||||
modules.network.nftables modules.nftnat
|
modules.network.nftables modules.nftnat
|
||||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||||
|
|
||||||
../../services/nextcloud
|
../../services/nextcloud
|
||||||
|
../../services/mattermost.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
hexchen.encboot = {
|
hexchen.encboot = {
|
||||||
|
|
|
@ -16,8 +16,6 @@ let
|
||||||
[ { ServiceSettings.SiteURL = cfg.siteUrl;
|
[ { ServiceSettings.SiteURL = cfg.siteUrl;
|
||||||
ServiceSettings.ListenAddress = cfg.listenAddress;
|
ServiceSettings.ListenAddress = cfg.listenAddress;
|
||||||
TeamSettings.SiteName = cfg.siteName;
|
TeamSettings.SiteName = cfg.siteName;
|
||||||
SqlSettings.DriverName = "postgres";
|
|
||||||
SqlSettings.DataSource = database;
|
|
||||||
}
|
}
|
||||||
cfg.extraConfig
|
cfg.extraConfig
|
||||||
];
|
];
|
||||||
|
|
|
@ -11,10 +11,10 @@
|
||||||
"homepage": "https://nix-community.github.io/home-manager/",
|
"homepage": "https://nix-community.github.io/home-manager/",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "9c0abed5228d54aad120b4bc757b6f5935aeda1c",
|
"rev": "b39647e52ed3c0b989e9d5c965e598ae4c38d7ef",
|
||||||
"sha256": "05pfa26p9k1gpir9sniwg195cqqc9v6yp9b5f9hrjhlh3jm14bgq",
|
"sha256": "0xw1vgwfdn75rgamcsi5j1iqfl0j06x8xp92k24wr9hayfr5m400",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/nix-community/home-manager/archive/9c0abed5228d54aad120b4bc757b6f5935aeda1c.tar.gz",
|
"url": "https://github.com/nix-community/home-manager/archive/b39647e52ed3c0b989e9d5c965e598ae4c38d7ef.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"mattermost-server": {
|
"mattermost-server": {
|
||||||
|
@ -23,7 +23,7 @@
|
||||||
"homepage": "https://mattermost.com",
|
"homepage": "https://mattermost.com",
|
||||||
"owner": "mattermost",
|
"owner": "mattermost",
|
||||||
"repo": "mattermost-server",
|
"repo": "mattermost-server",
|
||||||
"rev": "37b1e6d048fc8302c727c3bc7ce73ac32c2ba93c",
|
"rev": "a5463c865195d0f286de63d57782ef997c270e93",
|
||||||
"sha256": "1k0jn3a9nafbhvwn0d0rc2pj80mx7iz2scjbqkz96c5yzw3lyj79",
|
"sha256": "1k0jn3a9nafbhvwn0d0rc2pj80mx7iz2scjbqkz96c5yzw3lyj79",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.0.tar.gz",
|
"url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.0.tar.gz",
|
||||||
|
@ -80,10 +80,10 @@
|
||||||
"homepage": "",
|
"homepage": "",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "382039c05a16827a7f0731183e862366b66b422f",
|
"rev": "d4590d21006387dcb190c516724cb1e41c0f8fdf",
|
||||||
"sha256": "08mvanp4400zfz1knyxsjhkc7ryjlaa9awcg763ghj235wk6mlld",
|
"sha256": "17q39hlx1x87xf2rdygyimj8whdbx33nzszf4rxkc6b85wz0l38n",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/nixos/nixpkgs/archive/382039c05a16827a7f0731183e862366b66b422f.tar.gz",
|
"url": "https://github.com/nixos/nixpkgs/archive/d4590d21006387dcb190c516724cb1e41c0f8fdf.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
|
@ -92,10 +92,10 @@
|
||||||
"homepage": "",
|
"homepage": "",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "8ecc61c91a596df7d3293603a9c2384190c1b89a",
|
"rev": "c464dc811babfe316ed4ab7bbc12351122e69dd7",
|
||||||
"sha256": "0vhajylsmipjkm5v44n2h0pglcmpvk4mkyvxp7qfvkjdxw21dyml",
|
"sha256": "0aij4q6pc99xjqh0inv6z74wiqfdgxnbg7jli6gnjqxg2lcirrc2",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/nixos/nixpkgs/archive/8ecc61c91a596df7d3293603a9c2384190c1b89a.tar.gz",
|
"url": "https://github.com/nixos/nixpkgs/archive/c464dc811babfe316ed4ab7bbc12351122e69dd7.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"pbb-nixfiles": {
|
"pbb-nixfiles": {
|
||||||
|
|
241
services/mattermost.nix
Normal file
241
services/mattermost.nix
Normal file
|
@ -0,0 +1,241 @@
|
||||||
|
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
|
||||||
|
|
||||||
|
{
|
||||||
|
containers.mattermost = {
|
||||||
|
autoStart = true;
|
||||||
|
privateNetwork = true;
|
||||||
|
hostAddress = "192.168.100.1";
|
||||||
|
localAddress = "192.168.100.3";
|
||||||
|
|
||||||
|
bindMounts = {
|
||||||
|
"/persist" = {
|
||||||
|
hostPath = "/persist/containers/mattermost";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||||
|
boot.isContainer = true;
|
||||||
|
networking.useDHCP = false;
|
||||||
|
users.users.root.hashedPassword = "";
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
../modules/mattermost.nix
|
||||||
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||||
|
];
|
||||||
|
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
networking.firewall.enable = false;
|
||||||
|
networking.defaultGateway = {
|
||||||
|
address = "192.168.100.1";
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
|
# couldn't figure out how to actually overwrite modules, so now
|
||||||
|
# there's two mattermost modules ...
|
||||||
|
services.mattermost-patched = {
|
||||||
|
enable = true;
|
||||||
|
siteUrl = "https://mattermost.infra4future.de";
|
||||||
|
siteName = "Mattermost - Blabla for Future";
|
||||||
|
listenAddress = "0.0.0.0:3000";
|
||||||
|
mutableConfig = false;
|
||||||
|
|
||||||
|
secretConfig = "/persist/mattermost/secrets.json";
|
||||||
|
statePath = "/persist/mattermost";
|
||||||
|
|
||||||
|
extraConfig = {
|
||||||
|
ServiceSettings = {
|
||||||
|
TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
|
||||||
|
ReadTimeout = 300;
|
||||||
|
WriteTimeout = 600;
|
||||||
|
IdleTimeout = 60;
|
||||||
|
MaximumLoginAttempts = 10;
|
||||||
|
AllowCorsFrom = "*.infra4future.de/*";
|
||||||
|
WebserverMode = "gzip";
|
||||||
|
EnableCustomEmoji = true;
|
||||||
|
EnableEmojiPicker = true;
|
||||||
|
EnableGifPicker = false;
|
||||||
|
RestrictCustomEmojiCreation = "all";
|
||||||
|
RestrictPostDelete = "all";
|
||||||
|
AllowEditPost = "always";
|
||||||
|
PostEditTimeout = -1;
|
||||||
|
EnableTutorial = false;
|
||||||
|
ExperimentalChannelSidebarOrganization = "default_on";
|
||||||
|
ExperimentalChannelOrganization = true;
|
||||||
|
ExperimentalDataPrefetch = true;
|
||||||
|
EnableEmailInvitations = true;
|
||||||
|
DisableLegacyMFA = true;
|
||||||
|
EnableSVGs = true;
|
||||||
|
EnableLaTeX = true;
|
||||||
|
ThreadAutoFollow = true;
|
||||||
|
EnableSecurityFixAlert = false;
|
||||||
|
};
|
||||||
|
TeamSettings = {
|
||||||
|
EnableTeamCreation = true;
|
||||||
|
EnableUserCreation = true;
|
||||||
|
EnableOpenServer = false;
|
||||||
|
EnableUserDeactivation = true;
|
||||||
|
ExperimentalViewArchivedChannels = true;
|
||||||
|
ExperimentalEnableAutomaticReplies = true;
|
||||||
|
};
|
||||||
|
LogSettings = {
|
||||||
|
EnableConsole = true;
|
||||||
|
ConsoleLevel = "ERROR";
|
||||||
|
EnableDiagnostics = false;
|
||||||
|
EnableWebhookDebugging = false;
|
||||||
|
};
|
||||||
|
NotificationLogSettings = {
|
||||||
|
EnableConsole = true;
|
||||||
|
ConsoleLevel = "INFO";
|
||||||
|
};
|
||||||
|
PasswordSettings = {
|
||||||
|
MinimumLength = 10;
|
||||||
|
# turn of all the bullshit requirements
|
||||||
|
Lowercase = false;
|
||||||
|
Number = false;
|
||||||
|
Uppercase = false;
|
||||||
|
Symbol = false;
|
||||||
|
};
|
||||||
|
FileSettings = {
|
||||||
|
EnableFileAttachments = true;
|
||||||
|
MaxFileSize = 52428800;
|
||||||
|
DriverName = "local";
|
||||||
|
Directory = "/persist/mattermost/upload-storage";
|
||||||
|
EnablePublicLink = true;
|
||||||
|
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
|
||||||
|
};
|
||||||
|
EmailSettings = {
|
||||||
|
EnableSignUpWithEmail = false;
|
||||||
|
EnableSignInWithEmail = false;
|
||||||
|
EnableSignInWithUsername = false;
|
||||||
|
SendEmailNotifications = true;
|
||||||
|
FeedbackName = "mattermost";
|
||||||
|
FeedbackEmail = "mattermost@infra4future.de";
|
||||||
|
ReplyToAddress = "mattermost@infra4future.de";
|
||||||
|
FeedbackOrganization = "∆infra4future.de";
|
||||||
|
EnableSMTPAuth = true;
|
||||||
|
SMTPUsername = "noreply@infra4future.de";
|
||||||
|
SMTPServer = "mail.hacc.space";
|
||||||
|
};
|
||||||
|
RateLimitSettings.Enable = false;
|
||||||
|
PrivacySettings = {
|
||||||
|
ShowEmailAddress = false;
|
||||||
|
ShowFullName = true;
|
||||||
|
};
|
||||||
|
SupportSettings = {
|
||||||
|
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||||||
|
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||||||
|
AboutLink = "https://infra4future.de";
|
||||||
|
SupportEmail = "info@infra4future.de";
|
||||||
|
CustomTermsOfServiceEnabled = false;
|
||||||
|
EnableAskCommunityLink = true;
|
||||||
|
};
|
||||||
|
AnnouncementSettings.EnableBanner = false;
|
||||||
|
GitLabSettings = {
|
||||||
|
Enable = true;
|
||||||
|
Id = "mattermost";
|
||||||
|
Scope = "";
|
||||||
|
AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
||||||
|
TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
||||||
|
UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
|
||||||
|
};
|
||||||
|
# for some reason, these don't appear to be working; the startup
|
||||||
|
# process complaines and sets these back to en
|
||||||
|
LocalizationSettings = {
|
||||||
|
DefaultServerLocale = "de";
|
||||||
|
DefaultClientLocale = "de";
|
||||||
|
AvailableLocales = "de,en";
|
||||||
|
};
|
||||||
|
MessageExportSettings.EnableExport = false;
|
||||||
|
# plugins appear to have trouble with the read-only filesystem; it may
|
||||||
|
# be necessary to manually change their paths etc.
|
||||||
|
PluginSettings = {
|
||||||
|
Enable = true;
|
||||||
|
EnableUploads = true;
|
||||||
|
Plugins = {
|
||||||
|
bigbluebutton = {
|
||||||
|
adminonly = false;
|
||||||
|
base_url = "https://bbb.infra4future.de/bigbluebutton/api";
|
||||||
|
salt = "zKCsNeaEniC115ynHOsZopgA4iTiJjzgeiPNoCEc";
|
||||||
|
};
|
||||||
|
"com.github.matterpoll.matterpoll" = {
|
||||||
|
experimentalui = true;
|
||||||
|
trigger = "poll";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
PluginStates = {
|
||||||
|
bigbluebutton.Enable = true;
|
||||||
|
"com.github.matterpoll.matterpoll".Enable = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
ComplianceSettings.Enable = false;
|
||||||
|
ClusterSettings.Enable = false;
|
||||||
|
MetricsSettings.Enable = false;
|
||||||
|
GuestAccountsSettings.Enable = false;
|
||||||
|
# this is just the general allow-this-at-all switch; users
|
||||||
|
# still have to turn it on for themselves
|
||||||
|
FeatureFlags.CollapsedThreads = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# turn of the weirder parts of this module (which insist on passwords
|
||||||
|
# in nix files, instead of just using socket-based authentication)
|
||||||
|
#
|
||||||
|
# It will still attempt to use its default password, but postgres will
|
||||||
|
# just let it in regardless of that.
|
||||||
|
localDatabaseCreate = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.mysql = {
|
||||||
|
enable = true;
|
||||||
|
ensureDatabases = [ "mattermost" ];
|
||||||
|
ensureUsers = [ {
|
||||||
|
name = "mattermost";
|
||||||
|
ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
|
||||||
|
} ];
|
||||||
|
package = pkgs.mysql80;
|
||||||
|
dataDir = "/persist/mysql";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.postgresql = {
|
||||||
|
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
||||||
|
ensureDatabases = [ "mattermost" ];
|
||||||
|
ensureUsers = [ {
|
||||||
|
name = "mattermost";
|
||||||
|
ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; };
|
||||||
|
} ];
|
||||||
|
|
||||||
|
authentication = lib.mkForce ''
|
||||||
|
# Generated file; do not edit!
|
||||||
|
local all all trust
|
||||||
|
host mattermost mattermost ::1/128 trust
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 3000 ];
|
||||||
|
|
||||||
|
services.coredns = {
|
||||||
|
enable = true;
|
||||||
|
config = ''
|
||||||
|
.:53 {
|
||||||
|
forward . 1.1.1.1
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
})).config.system.build.toplevel;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."mattermost.infra4future.de" = {
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://${config.containers.mattermost.localAddress}:3000";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
extraConfig = ''
|
||||||
|
# Mattermost CSR Patch
|
||||||
|
proxy_hide_header Content-Security-Policy;
|
||||||
|
proxy_hide_header X-Frame-Options;
|
||||||
|
proxy_redirect off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue