stuebinm
d933a6ef98
this one's not connected to our SSO and intended for short-term use only, after which it will be deleted again. I've gone through at least some of mattermost's options to see how many of these are actually relevant anymore. Some can be left out. Unlike the other mattermost it also doesn't use any mysql.
134 lines
4.3 KiB
Nix
134 lines
4.3 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
sops.secrets = {
|
|
"s4f-conference/env" = {};
|
|
};
|
|
|
|
hacc.containers.s4f-conference = {
|
|
bindSecrets = true;
|
|
|
|
config = { config, lib, pkgs, ... }: {
|
|
systemd.services.mattermost.serviceConfig.EnvironmentFile =
|
|
lib.mkForce "/secrets/env";
|
|
|
|
services.mattermost = {
|
|
enable = true;
|
|
siteUrl = "https://s4f-conference.infra4future.de";
|
|
siteName = "Scientists for Future Chat";
|
|
listenAddress = "0.0.0.0:3000";
|
|
mutableConfig = false;
|
|
|
|
statePath = "/persist/mattermost";
|
|
|
|
extraConfig = {
|
|
ServiceSettings = {
|
|
TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
|
|
EnableEmailInvitations = true;
|
|
};
|
|
TeamSettings = {
|
|
EnableUserCreation = true;
|
|
EnableUserDeactivation = true;
|
|
EnableOpenServer = false;
|
|
};
|
|
PasswordSettings = {
|
|
MinimumLength = 10;
|
|
};
|
|
FileSettings = {
|
|
EnableFileAttachments = true;
|
|
MaxFileSize = 52428800;
|
|
DriverName = "local";
|
|
Directory = "/persist/upload-storage";
|
|
EnablePublicLink = true;
|
|
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
|
|
};
|
|
EmailSettings = {
|
|
EnableSignUpWithEmail = true;
|
|
EnableSignInWithEmail = true;
|
|
EnableSignInWithUsername = true;
|
|
SendEmailNotifications = true;
|
|
FeedbackName = "mattermost";
|
|
FeedbackEmail = "mattermost@infra4future.de";
|
|
ReplyToAddress = "mattermost@infra4future.de";
|
|
FeedbackOrganization = "∆infra4future.de";
|
|
EnableSMTPAuth = true;
|
|
SMTPUsername = "noreply@infra4future.de";
|
|
SMTPServer = "mail.hacc.space";
|
|
SMTPPort = "465";
|
|
SMTPServerTimeout = 10;
|
|
ConnectionSecurity = "TLS";
|
|
};
|
|
RateLimitSettings.Enable = false;
|
|
PrivacySettings = {
|
|
ShowEmailAddress = false;
|
|
ShowFullName = true;
|
|
};
|
|
# to disable the extra landing page advertising the app
|
|
NativeAppSettings = {
|
|
AppDownloadLink = "";
|
|
AndroidAppDownloadLink = "";
|
|
IosAppDownloadLink = "";
|
|
};
|
|
LogSettings = {
|
|
EnableConsole = true;
|
|
ConsoleLevel = "ERROR";
|
|
EnableDiagnostics = false;
|
|
EnableWebhookDebugging = false;
|
|
};
|
|
SupportSettings = {
|
|
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
|
|
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
|
|
AboutLink = "https://infra4future.de";
|
|
SupportEmail = "info@infra4future.de";
|
|
CustomTermsOfServiceEnabled = false;
|
|
EnableAskCommunityLink = true;
|
|
};
|
|
AnnouncementSettings.EnableBanner = false;
|
|
ComplianceSettings.Enable = false;
|
|
ClusterSettings.Enable = false;
|
|
MetricsSettings.Enable = false;
|
|
GuestAccountsSettings.Enable = true;
|
|
};
|
|
|
|
localDatabaseCreate = false;
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
|
package = pkgs.postgresql_15;
|
|
ensureDatabases = [ "mattermost" ];
|
|
ensureUsers = [ {
|
|
name = "mattermost";
|
|
ensureDBOwnership = true;
|
|
} ];
|
|
|
|
authentication = lib.mkForce ''
|
|
# Generated file; do not edit!
|
|
local all all trust
|
|
host mattermost mattermost ::1/128 trust
|
|
'';
|
|
};
|
|
services.postgresqlBackup = {
|
|
enable = true;
|
|
databases = [ "mattermost" ];
|
|
startAt = "*-*-* 23:45:00";
|
|
location = "/persist/backups/postgres";
|
|
};
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."s4f-conference.infra4future.de" = {
|
|
locations."/" = {
|
|
proxyPass = "http://${config.containers.s4f-conference.localAddress}:3000";
|
|
proxyWebsockets = true;
|
|
extraConfig = ''
|
|
# Mattermost CSR Patch
|
|
proxy_hide_header Content-Security-Policy;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_redirect off;
|
|
'';
|
|
};
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
}
|