{ config, lib, pkgs, evalConfig, ... }: { sops.secrets = { "mattermost-s4f/env" = {}; }; containers.mattermost-staging = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.11"; localAddress = "192.168.100.13"; ephemeral = true; bindMounts = { "/persist" = { hostPath = "/persist/containers/mattermost-s4f"; isReadOnly = false; }; "/secrets".hostPath = "/run/secrets/mattermost-s4f"; "/cert".hostPath = "/var/lib/acme/kanidm.infra4future.de"; }; path = evalConfig ({ config, lib, pkgs, ... }: { systemd.services.mattermost.serviceConfig.EnvironmentFile = lib.mkForce "/secrets/env"; services.mattermost = { enable = true; siteUrl = "https://mattermost-staging.infra4future.de"; siteName = "Mattermost for testing"; listenAddress = "0.0.0.0:3000"; mutableConfig = false; statePath = "/persist/mattermost"; extraConfig = { ServiceSettings = { TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ]; ReadTimeout = 300; WriteTimeout = 600; IdleTimeout = 60; MaximumLoginAttempts = 10; AllowCorsFrom = "*.infra4future.de/*"; WebserverMode = "gzip"; EnableCustomEmoji = true; EnableEmojiPicker = true; EnableGifPicker = false; RestrictCustomEmojiCreation = "all"; RestrictPostDelete = "all"; AllowEditPost = "always"; PostEditTimeout = -1; EnableTutorial = false; ExperimentalChannelSidebarOrganization = "default_on"; ExperimentalChannelOrganization = true; ExperimentalDataPrefetch = true; EnableEmailInvitations = true; DisableLegacyMFA = true; EnableSVGs = true; EnableLaTeX = true; ThreadAutoFollow = true; EnableSecurityFixAlert = false; CollapsedThreads = "default_on"; }; TeamSettings = { EnableTeamCreation = true; EnableUserCreation = true; MaxUsersPerTeam = 250; EnableOpenServer = false; EnableUserDeactivation = true; ExperimentalViewArchivedChannels = true; ExperimentalEnableAutomaticReplies = true; }; LogSettings = { EnableConsole = true; # note: for some reason this doesn't work (mattermost still sets it to DEBUG); # it's also set in secrets.env, where for some reason it does ConsoleLevel = "ERROR"; EnableDiagnostics = false; EnableWebhookDebugging = false; }; NotificationLogSettings = { EnableConsole = true; ConsoleLevel = "INFO"; }; PasswordSettings = { MinimumLength = 10; # turn of all the bullshit requirements Lowercase = false; Number = false; Uppercase = false; Symbol = false; }; FileSettings = { EnableFileAttachments = true; MaxFileSize = 52428800; DriverName = "local"; Directory = "/persist/mattermost/upload-storage"; EnablePublicLink = true; PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu"; }; EmailSettings = { EnableSignUpWithEmail = false; EnableSignInWithEmail = false; EnableSignInWithUsername = false; SendEmailNotifications = true; FeedbackName = "mattermost"; FeedbackEmail = "mattermost@infra4future.de"; ReplyToAddress = "mattermost@infra4future.de"; FeedbackOrganization = "∆infra4future.de"; EnableSMTPAuth = true; SMTPUsername = "noreply@infra4future.de"; SMTPServer = "mail.hacc.space"; SMTPPort = "465"; SMTPServerTimeout = 10; ConnectionSecurity = "TLS"; }; RateLimitSettings.Enable = false; PrivacySettings = { ShowEmailAddress = false; ShowFullName = true; }; # to disable the extra landing page advertising the app NativeAppSettings = { AppDownloadLink = ""; AndroidAppDownloadLink = ""; IosAppDownloadLink = ""; }; SupportSettings = { TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html"; PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html"; AboutLink = "https://infra4future.de"; SupportEmail = "info@infra4future.de"; CustomTermsOfServiceEnabled = false; EnableAskCommunityLink = true; }; AnnouncementSettings.EnableBanner = false; GitLabSettings = { Enable = true; Id = "mattermost"; Scope = "users"; AuthEndpoint = "https://kanidm.infra4future.de/ui/oauth2"; TokenEndpoint = "https://kanidm.infra4future.de/oauth2/token"; UserApiEndpoint = "https://kanidm.infra4future.de/oauth2/openid/mattermost/userinfo"; }; # for some reason, these don't appear to be working; the startup # process complaines and sets these back to en LocalizationSettings = { DefaultServerLocale = "de"; DefaultClientLocale = "de"; AvailableLocales = "de,en"; }; MessageExportSettings.EnableExport = false; ComplianceSettings.Enable = false; ClusterSettings.Enable = false; MetricsSettings.Enable = false; GuestAccountsSettings.Enable = false; FeatureFlags.CollapsedThreads = true; }; # eh, why not try it this time localDatabaseCreate = true; }; services.postgresqlBackup = { enable = true; databases = [ "mattermost" ]; startAt = "*-*-* 23:45:00"; location = "/persist/backups/postgres"; }; services.kanidm = { enableServer = true; serverSettings = { bindaddress = "[::]:4000"; domain = "kanidm.infra4future.de"; origin = "https://kanidm.infra4future.de"; tls_chain = "/cert/fullchain.pem"; tls_key = "/cert/key.pem"; }; }; environment.systemPackages = [ pkgs.kanidm ]; # can't configure db location because of hardening options # https://github.com/NixOS/nixpkgs/pull/143134/files#r800231100 hacc.bindToPersist = [ "/var/lib/kanidm" ]; services.postgresql.package = pkgs.postgresql; }); }; services.nginx.virtualHosts."mattermost-staging.infra4future.de" = { locations."/" = { proxyPass = "http://${config.containers.mattermost-staging.localAddress}:3000"; proxyWebsockets = true; extraConfig = '' # Mattermost CSR Patch proxy_hide_header Content-Security-Policy; proxy_hide_header X-Frame-Options; proxy_redirect off; ''; }; forceSSL = true; enableACME = true; }; services.nginx.virtualHosts."kanidm.infra4future.de" = { locations."/" = { proxyPass = "https://${config.containers.mattermost-staging.localAddress}:4000"; }; forceSSL = true; enableACME = true; }; }