Otherwise, the login via keycloak will fail, as mattermost cannot verify
the associated token. Since networking.nat only appears to work for ipv4
and I have no idea how to do it with ipv6, this unfortunately implies
downgrading the container's networking to ipv4 only ...
This adds a custom mattermost module (`services.mattermost-patched`) which is
identical to the one in nixpkgs except that it also has an option `secretConfig`,
which should point to a file containing all secret parts of the mattermost config
(e.g. mailserver password), and which is merged with the config genereated from
the module at startup time.
This allows us to have a (almost) immutable config without having secrets in the
nix store.
Before deploying this, add a secrets file at /var/lib/mattermost/screts.json
(on the host — there is a bind mount in place so we won't have to enter the
container each time to change something).
