stuebinm
c09337c973
this replaces niv with nix flakes, attempting to preserve the old structure as much as possible. Notable caveats: - I'm not sure if flake inputs expose version information anywhere, so the version in pkgs/mattermost/default.nix is now hardcoded. Confusingly, this appears to trigger a rebuild. Maybe I've missed something. - a lot of the old-style host.nix & deploy.nix machinery in nix-hexchen does not work with flakes, and their newer replacements are not exposed by upstream; I've put basic imitations of the relevant parts in this repo - (in particular, directories in hosts/ won't become deployable configs automatically) - parts of the code are now probably more complicated than they'd have to be - old variables names were preserved; confusingly, this means the flake inputs are still called "sources"
254 lines
8.9 KiB
Nix
254 lines
8.9 KiB
Nix
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
|
|
|
|
let
|
|
mattermost = pkgs.mattermost;
|
|
in {
|
|
containers.mattermost = {
|
|
autoStart = true;
|
|
privateNetwork = true;
|
|
hostAddress = "192.168.100.1";
|
|
localAddress = "192.168.100.3";
|
|
|
|
bindMounts = {
|
|
"/persist" = {
|
|
hostPath = "/persist/containers/mattermost";
|
|
isReadOnly = false;
|
|
};
|
|
};
|
|
|
|
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
|
boot.isContainer = true;
|
|
networking.useDHCP = false;
|
|
users.users.root.hashedPassword = "";
|
|
system.stateVersion = "21.05";
|
|
|
|
imports = [ sources.nix-hexchen.nixosModules.profiles.nopersist ];
|
|
|
|
nixpkgs.overlays = [ (self: super: { inherit mattermost; }) ];
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
networking.firewall.enable = false;
|
|
networking.defaultGateway = {
|
|
address = "192.168.100.1";
|
|
interface = "eth0";
|
|
};
|
|
|
|
systemd.services.mattermost.serviceConfig.EnvironmentFile =
|
|
"/persist/mattermost/secrets.env";
|
|
# overwrite the -c flag given in the module. this can be removed once we're on nixos 22.05
|
|
systemd.services.mattermost.serviceConfig.ExecStart =
|
|
lib.mkForce "${pkgs.mattermost}/bin/mattermost -c /persist/mattermost/config/config.json";
|
|
|
|
# couldn't figure out how to actually overwrite modules, so now
|
|
# there's two mattermost modules ...
|
|
services.mattermost = {
|
|
enable = true;
|
|
siteUrl = "https://mattermost.infra4future.de";
|
|
siteName = "Mattermost for Future";
|
|
listenAddress = "0.0.0.0:3000";
|
|
mutableConfig = false;
|
|
|
|
statePath = "/persist/mattermost";
|
|
|
|
extraConfig = {
|
|
ServiceSettings = {
|
|
TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
|
|
ReadTimeout = 300;
|
|
WriteTimeout = 600;
|
|
IdleTimeout = 60;
|
|
MaximumLoginAttempts = 10;
|
|
AllowCorsFrom = "*.infra4future.de/*";
|
|
WebserverMode = "gzip";
|
|
EnableCustomEmoji = true;
|
|
EnableEmojiPicker = true;
|
|
EnableGifPicker = false;
|
|
RestrictCustomEmojiCreation = "all";
|
|
RestrictPostDelete = "all";
|
|
AllowEditPost = "always";
|
|
PostEditTimeout = -1;
|
|
EnableTutorial = false;
|
|
ExperimentalChannelSidebarOrganization = "default_on";
|
|
ExperimentalChannelOrganization = true;
|
|
ExperimentalDataPrefetch = true;
|
|
EnableEmailInvitations = true;
|
|
DisableLegacyMFA = true;
|
|
EnableSVGs = true;
|
|
EnableLaTeX = true;
|
|
ThreadAutoFollow = true;
|
|
EnableSecurityFixAlert = false;
|
|
CollapsedThreads = "default_on";
|
|
};
|
|
TeamSettings = {
|
|
EnableTeamCreation = true;
|
|
EnableUserCreation = true;
|
|
MaxUsersPerTeam = 250;
|
|
EnableOpenServer = false;
|
|
EnableUserDeactivation = true;
|
|
ExperimentalViewArchivedChannels = true;
|
|
ExperimentalEnableAutomaticReplies = true;
|
|
};
|
|
LogSettings = {
|
|
EnableConsole = true;
|
|
# note: for some reason this doesn't work (mattermost still sets it to DEBUG);
|
|
# it's also set in secrets.env, where for some reason it does
|
|
ConsoleLevel = "ERROR";
|
|
EnableDiagnostics = false;
|
|
EnableWebhookDebugging = false;
|
|
};
|
|
NotificationLogSettings = {
|
|
EnableConsole = true;
|
|
ConsoleLevel = "INFO";
|
|
};
|
|
PasswordSettings = {
|
|
MinimumLength = 10;
|
|
# turn of all the bullshit requirements
|
|
Lowercase = false;
|
|
Number = false;
|
|
Uppercase = false;
|
|
Symbol = false;
|
|
};
|
|
FileSettings = {
|
|
EnableFileAttachments = true;
|
|
MaxFileSize = 52428800;
|
|
DriverName = "local";
|
|
Directory = "/persist/mattermost/upload-storage";
|
|
EnablePublicLink = true;
|
|
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
|
|
};
|
|
EmailSettings = {
|
|
EnableSignUpWithEmail = false;
|
|
EnableSignInWithEmail = false;
|
|
EnableSignInWithUsername = false;
|
|
SendEmailNotifications = true;
|
|
FeedbackName = "mattermost";
|
|
FeedbackEmail = "mattermost@infra4future.de";
|
|
ReplyToAddress = "mattermost@infra4future.de";
|
|
FeedbackOrganization = "∆infra4future.de";
|
|
EnableSMTPAuth = true;
|
|
SMTPUsername = "noreply@infra4future.de";
|
|
SMTPServer = "mail.hacc.space";
|
|
SMTPPort = "465";
|
|
SMTPServerTimeout = 10;
|
|
ConnectionSecurity = "TLS";
|
|
};
|
|
RateLimitSettings.Enable = false;
|
|
PrivacySettings = {
|
|
ShowEmailAddress = false;
|
|
ShowFullName = true;
|
|
};
|
|
SupportSettings = {
|
|
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
|
|
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
|
|
AboutLink = "https://infra4future.de";
|
|
SupportEmail = "info@infra4future.de";
|
|
CustomTermsOfServiceEnabled = false;
|
|
EnableAskCommunityLink = true;
|
|
};
|
|
AnnouncementSettings.EnableBanner = false;
|
|
GitLabSettings = {
|
|
Enable = true;
|
|
Id = "mattermost";
|
|
Scope = "";
|
|
AuthEndpoint = "https://login.infra4future.de/oauth2/authorize";
|
|
TokenEndpoint = "https://login.infra4future.de/oauth2/token";
|
|
UserApiEndpoint = "https://login.infra4future.de/oauth2/userinfo";
|
|
};
|
|
# for some reason, these don't appear to be working; the startup
|
|
# process complaines and sets these back to en
|
|
LocalizationSettings = {
|
|
DefaultServerLocale = "de";
|
|
DefaultClientLocale = "de";
|
|
AvailableLocales = "de,en";
|
|
};
|
|
MessageExportSettings.EnableExport = false;
|
|
# plugins appear to have trouble with the read-only filesystem; it may
|
|
# be necessary to manually change their paths etc.
|
|
PluginSettings = {
|
|
Enable = true;
|
|
EnableUploads = true;
|
|
Plugins = {
|
|
bigbluebutton = {
|
|
adminonly = false;
|
|
base_url = "https://bbb.infra4future.de/bigbluebutton/api";
|
|
salt = "zKCsNeaEniC115ynHOsZopgA4iTiJjzgeiPNoCEc";
|
|
};
|
|
"com.github.matterpoll.matterpoll" = {
|
|
experimentalui = true;
|
|
trigger = "poll";
|
|
};
|
|
};
|
|
PluginStates = {
|
|
bigbluebutton.Enable = true;
|
|
"com.github.matterpoll.matterpoll".Enable = true;
|
|
};
|
|
};
|
|
ComplianceSettings.Enable = false;
|
|
ClusterSettings.Enable = false;
|
|
MetricsSettings.Enable = false;
|
|
GuestAccountsSettings.Enable = false;
|
|
FeatureFlags.CollapsedThreads = true;
|
|
};
|
|
|
|
# turn of the weirder parts of this module (which insist on passwords
|
|
# in nix files, instead of just using socket-based authentication)
|
|
#
|
|
# It will still attempt to use its default password, but postgres will
|
|
# just let it in regardless of that.
|
|
localDatabaseCreate = false;
|
|
};
|
|
|
|
services.mysql = {
|
|
enable = true;
|
|
ensureDatabases = [ "mattermost" ];
|
|
ensureUsers = [ {
|
|
name = "mattermost";
|
|
ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
|
|
} ];
|
|
package = pkgs.mysql80;
|
|
dataDir = "/persist/mysql";
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
|
package = pkgs.postgresql_11;
|
|
ensureDatabases = [ "mattermost" ];
|
|
ensureUsers = [ {
|
|
name = "mattermost";
|
|
ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; };
|
|
} ];
|
|
|
|
authentication = lib.mkForce ''
|
|
# Generated file; do not edit!
|
|
local all all trust
|
|
host mattermost mattermost ::1/128 trust
|
|
'';
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 3000 ];
|
|
|
|
services.coredns = {
|
|
enable = true;
|
|
config = ''
|
|
.:53 {
|
|
forward . 1.1.1.1
|
|
}
|
|
'';
|
|
};
|
|
})).config.system.build.toplevel;
|
|
};
|
|
|
|
services.nginx.virtualHosts."mattermost.infra4future.de" = {
|
|
locations."/" = {
|
|
proxyPass = "http://${config.containers.mattermost.localAddress}:3000";
|
|
proxyWebsockets = true;
|
|
extraConfig = ''
|
|
# Mattermost CSR Patch
|
|
proxy_hide_header Content-Security-Policy;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_redirect off;
|
|
'';
|
|
};
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
}
|