{config, pkgs, lib, ...}: { containers.mattermost = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.30"; localAddress = "192.168.100.31"; bindMounts."/secrets" = { hostPath = "/var/lib/mattermost/"; isReadOnly = true; }; config = {pkgs, config, ...}: { # have to import these here, since container's dont # inherit imports of their environment. imports = [ ../../../modules/mattermost.nix ]; networking.firewall.enable = false; # couldn't figure out how to actually overwrite modules, so now # there's two mattermost modules ... services.mattermost-patched = { enable = true; siteUrl = "https://mattermost-beta.infra4future.de"; siteName = "Mattermost - Blabla for Future"; listenAddress = "0.0.0.0:3000"; mutableConfig = false; secretConfig = "/secrets/secrets.json"; extraConfig = { ServiceSettings = { TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ]; ReadTimeout = 300; WriteTimeout = 600; IdleTimeout = 60; MaximumLoginAttempts = 10; AllowCorsFrom = "*.infra4future.de/*"; WebserverMode = "gzip"; EnableCustomEmoji = true; EnableEmojiPicker = true; EnableGifPicker = false; RestrictCustomEmojiCreation = "all"; RestrictPostDelete = "all"; AllowEditPost = "always"; PostEditTimeout = -1; EnableTutorial = false; ExperimentalChannelSidebarOrganization = "default_on"; ExperimentalChannelOrganization = true; ExperimentalDataPrefetch = true; EnableEmailInvitations = true; DisableLegacyMFA = true; EnableSVGs = true; EnableLaTeX = true; ThreadAutoFollow = true; EnableSecurityFixAlert = false; }; TeamSettings = { EnableTeamCreation = true; EnableUserCreation = true; EnableOpenServer = false; EnableUserDeactivation = true; ExperimentalViewArchivedChannels = true; ExperimentalEnableAutomaticReplies = true; }; LogSettings = { EnableConsole = true; ConsoleLevel = "ERROR"; EnableDiagnostics = false; EnableWebhookDebugging = false; }; NotificationLogSettings = { EnableConsole = true; ConsoleLevel = "INFO"; }; PasswordSettings = { MinimumLength = 10; # turn of all the bullshit requirements Lowercase = false; Number = false; Uppercase = false; Symbol = false; }; FileSettings = { EnableFileAttachments = true; MaxFileSize = 52428800; DriverName = "local"; Directory = "/var/lib/mattermost/uploads-storage"; EnablePublicLink = true; PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu"; }; EmailSettings = { EnableSignUpWithEmail = false; EnableSignInWithEmail = false; EnableSignInWithUsername = false; SendEmailNotifications = true; FeedbackName = "mattermost"; FeedbackEmail = "mattermost@infra4future.de"; ReplyToAddress = "mattermost@infra4future.de"; FeedbackOrganization = "∆infra4future.de"; EnableSMTPAuth = true; SMTPUsername = "noreply@infra4future.de"; SMTPServer = "mail.hacc.space"; }; RateLimitSettings.Enable = false; PrivacySettings = { ShowEmailAddress = false; ShowFullName = true; }; SupportSettings = { TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html"; PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html"; AboutLink = "https://infra4future.de"; SupportEmail = "info@infra4future.de"; CustomTermsOfServiceEnabled = false; EnableAskCommunityLink = true; }; AnnouncementSettings.EnableBanner = false; GitLabSettings = { Enable = true; Id = "mattermost-beta"; Scope = ""; AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth"; TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token"; UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo"; }; # for some reason, these don't appear to be working; the startup # process complaines and sets these back to en LocalizationSettings = { DefaultServerLocale = "de"; DefaultClientLocale = "de"; AvailableLocales = "de,en"; }; MessageExportSettings.EnableExport = false; # plugins appear to have trouble with the read-only filesystem; it may # be necessary to manually change their paths etc. PluginSettings = { Enable = true; EnableUploads = true; Plugins = { bigbluebutton = { adminonly = false; base_url = "https://bbb.infra4future.de/bigbluebutton/api"; salt = "zKCsNeaEniC115ynHOsZopgA4iTiJjzgeiPNoCEc"; }; "com.github.matterpoll.matterpoll" = { experimentalui = true; trigger = "poll"; }; }; PluginStates = { bigbluebutton.Enable = true; "com.github.matterpoll.matterpoll".Enable = true; }; }; ComplianceSettings.Enable = false; ClusterSettings.Enable = false; MetricsSettings.Enable = false; GuestAccountsSettings.Enable = false; # this is just the general allow-this-at-all switch; users # still have to turn it on for themselves FeatureFlags.CollapsedThreads = true; }; # turn of the weirder parts of this module (which insist on passwords # in nix files, instead of just using socket-based authentication) # # It will still attempt to use its default password, but postgres will # just let it in regardless of that. localDatabaseCreate = false; }; services.postgresql = { enable = lib.mkForce true; # mattermost sets this to false. wtf. ensureDatabases = [ "mattermost" ]; ensureUsers = [ { name = "mattermost"; ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; }; } ]; authentication = lib.mkForce '' # Generated file; do not edit! local all all trust host mattermost mattermost ::1/128 trust ''; }; networking.firewall.allowedTCPPorts = [ 3000 ]; services.coredns = { enable = true; config = '' .:53 { forward . 1.1.1.1 } ''; }; }; }; services.nginx.virtualHosts."mattermost-beta.infra4future.de" = { locations."/" = { proxyPass = "http://${config.containers.mattermost.localAddress}:3000"; proxyWebsockets = true; }; forceSSL = true; enableACME = true; }; networking.nat = { enable = true; internalInterfaces = [ "ve-mattermost" ]; externalInterface = "enp6s0"; }; }