forked from hacc/haccfiles
242 lines
8.4 KiB
Nix
242 lines
8.4 KiB
Nix
|
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
|
||
|
|
||
|
{
|
||
|
containers.mattermost = {
|
||
|
autoStart = true;
|
||
|
privateNetwork = true;
|
||
|
hostAddress = "192.168.100.1";
|
||
|
localAddress = "192.168.100.3";
|
||
|
|
||
|
bindMounts = {
|
||
|
"/persist" = {
|
||
|
hostPath = "/persist/containers/mattermost";
|
||
|
isReadOnly = false;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||
|
boot.isContainer = true;
|
||
|
networking.useDHCP = false;
|
||
|
users.users.root.hashedPassword = "";
|
||
|
|
||
|
imports = [
|
||
|
../modules/mattermost.nix
|
||
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
||
|
];
|
||
|
|
||
|
nixpkgs.config.allowUnfree = true;
|
||
|
networking.firewall.enable = false;
|
||
|
networking.defaultGateway = {
|
||
|
address = "192.168.100.1";
|
||
|
interface = "eth0";
|
||
|
};
|
||
|
|
||
|
# couldn't figure out how to actually overwrite modules, so now
|
||
|
# there's two mattermost modules ...
|
||
|
services.mattermost-patched = {
|
||
|
enable = true;
|
||
|
siteUrl = "https://mattermost.infra4future.de";
|
||
|
siteName = "Mattermost - Blabla for Future";
|
||
|
listenAddress = "0.0.0.0:3000";
|
||
|
mutableConfig = false;
|
||
|
|
||
|
secretConfig = "/persist/mattermost/secrets.json";
|
||
|
statePath = "/persist/mattermost";
|
||
|
|
||
|
extraConfig = {
|
||
|
ServiceSettings = {
|
||
|
TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
|
||
|
ReadTimeout = 300;
|
||
|
WriteTimeout = 600;
|
||
|
IdleTimeout = 60;
|
||
|
MaximumLoginAttempts = 10;
|
||
|
AllowCorsFrom = "*.infra4future.de/*";
|
||
|
WebserverMode = "gzip";
|
||
|
EnableCustomEmoji = true;
|
||
|
EnableEmojiPicker = true;
|
||
|
EnableGifPicker = false;
|
||
|
RestrictCustomEmojiCreation = "all";
|
||
|
RestrictPostDelete = "all";
|
||
|
AllowEditPost = "always";
|
||
|
PostEditTimeout = -1;
|
||
|
EnableTutorial = false;
|
||
|
ExperimentalChannelSidebarOrganization = "default_on";
|
||
|
ExperimentalChannelOrganization = true;
|
||
|
ExperimentalDataPrefetch = true;
|
||
|
EnableEmailInvitations = true;
|
||
|
DisableLegacyMFA = true;
|
||
|
EnableSVGs = true;
|
||
|
EnableLaTeX = true;
|
||
|
ThreadAutoFollow = true;
|
||
|
EnableSecurityFixAlert = false;
|
||
|
};
|
||
|
TeamSettings = {
|
||
|
EnableTeamCreation = true;
|
||
|
EnableUserCreation = true;
|
||
|
EnableOpenServer = false;
|
||
|
EnableUserDeactivation = true;
|
||
|
ExperimentalViewArchivedChannels = true;
|
||
|
ExperimentalEnableAutomaticReplies = true;
|
||
|
};
|
||
|
LogSettings = {
|
||
|
EnableConsole = true;
|
||
|
ConsoleLevel = "ERROR";
|
||
|
EnableDiagnostics = false;
|
||
|
EnableWebhookDebugging = false;
|
||
|
};
|
||
|
NotificationLogSettings = {
|
||
|
EnableConsole = true;
|
||
|
ConsoleLevel = "INFO";
|
||
|
};
|
||
|
PasswordSettings = {
|
||
|
MinimumLength = 10;
|
||
|
# turn of all the bullshit requirements
|
||
|
Lowercase = false;
|
||
|
Number = false;
|
||
|
Uppercase = false;
|
||
|
Symbol = false;
|
||
|
};
|
||
|
FileSettings = {
|
||
|
EnableFileAttachments = true;
|
||
|
MaxFileSize = 52428800;
|
||
|
DriverName = "local";
|
||
|
Directory = "/persist/mattermost/upload-storage";
|
||
|
EnablePublicLink = true;
|
||
|
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
|
||
|
};
|
||
|
EmailSettings = {
|
||
|
EnableSignUpWithEmail = false;
|
||
|
EnableSignInWithEmail = false;
|
||
|
EnableSignInWithUsername = false;
|
||
|
SendEmailNotifications = true;
|
||
|
FeedbackName = "mattermost";
|
||
|
FeedbackEmail = "mattermost@infra4future.de";
|
||
|
ReplyToAddress = "mattermost@infra4future.de";
|
||
|
FeedbackOrganization = "∆infra4future.de";
|
||
|
EnableSMTPAuth = true;
|
||
|
SMTPUsername = "noreply@infra4future.de";
|
||
|
SMTPServer = "mail.hacc.space";
|
||
|
};
|
||
|
RateLimitSettings.Enable = false;
|
||
|
PrivacySettings = {
|
||
|
ShowEmailAddress = false;
|
||
|
ShowFullName = true;
|
||
|
};
|
||
|
SupportSettings = {
|
||
|
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||
|
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||
|
AboutLink = "https://infra4future.de";
|
||
|
SupportEmail = "info@infra4future.de";
|
||
|
CustomTermsOfServiceEnabled = false;
|
||
|
EnableAskCommunityLink = true;
|
||
|
};
|
||
|
AnnouncementSettings.EnableBanner = false;
|
||
|
GitLabSettings = {
|
||
|
Enable = true;
|
||
|
Id = "mattermost";
|
||
|
Scope = "";
|
||
|
AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
||
|
TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
||
|
UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
|
||
|
};
|
||
|
# for some reason, these don't appear to be working; the startup
|
||
|
# process complaines and sets these back to en
|
||
|
LocalizationSettings = {
|
||
|
DefaultServerLocale = "de";
|
||
|
DefaultClientLocale = "de";
|
||
|
AvailableLocales = "de,en";
|
||
|
};
|
||
|
MessageExportSettings.EnableExport = false;
|
||
|
# plugins appear to have trouble with the read-only filesystem; it may
|
||
|
# be necessary to manually change their paths etc.
|
||
|
PluginSettings = {
|
||
|
Enable = true;
|
||
|
EnableUploads = true;
|
||
|
Plugins = {
|
||
|
bigbluebutton = {
|
||
|
adminonly = false;
|
||
|
base_url = "https://bbb.infra4future.de/bigbluebutton/api";
|
||
|
salt = "zKCsNeaEniC115ynHOsZopgA4iTiJjzgeiPNoCEc";
|
||
|
};
|
||
|
"com.github.matterpoll.matterpoll" = {
|
||
|
experimentalui = true;
|
||
|
trigger = "poll";
|
||
|
};
|
||
|
};
|
||
|
PluginStates = {
|
||
|
bigbluebutton.Enable = true;
|
||
|
"com.github.matterpoll.matterpoll".Enable = true;
|
||
|
};
|
||
|
};
|
||
|
ComplianceSettings.Enable = false;
|
||
|
ClusterSettings.Enable = false;
|
||
|
MetricsSettings.Enable = false;
|
||
|
GuestAccountsSettings.Enable = false;
|
||
|
# this is just the general allow-this-at-all switch; users
|
||
|
# still have to turn it on for themselves
|
||
|
FeatureFlags.CollapsedThreads = true;
|
||
|
};
|
||
|
|
||
|
# turn of the weirder parts of this module (which insist on passwords
|
||
|
# in nix files, instead of just using socket-based authentication)
|
||
|
#
|
||
|
# It will still attempt to use its default password, but postgres will
|
||
|
# just let it in regardless of that.
|
||
|
localDatabaseCreate = false;
|
||
|
};
|
||
|
|
||
|
services.mysql = {
|
||
|
enable = true;
|
||
|
ensureDatabases = [ "mattermost" ];
|
||
|
ensureUsers = [ {
|
||
|
name = "mattermost";
|
||
|
ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
|
||
|
} ];
|
||
|
package = pkgs.mysql80;
|
||
|
dataDir = "/persist/mysql";
|
||
|
};
|
||
|
|
||
|
services.postgresql = {
|
||
|
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
||
|
ensureDatabases = [ "mattermost" ];
|
||
|
ensureUsers = [ {
|
||
|
name = "mattermost";
|
||
|
ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; };
|
||
|
} ];
|
||
|
|
||
|
authentication = lib.mkForce ''
|
||
|
# Generated file; do not edit!
|
||
|
local all all trust
|
||
|
host mattermost mattermost ::1/128 trust
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
networking.firewall.allowedTCPPorts = [ 3000 ];
|
||
|
|
||
|
services.coredns = {
|
||
|
enable = true;
|
||
|
config = ''
|
||
|
.:53 {
|
||
|
forward . 1.1.1.1
|
||
|
}
|
||
|
'';
|
||
|
};
|
||
|
})).config.system.build.toplevel;
|
||
|
};
|
||
|
|
||
|
services.nginx.virtualHosts."mattermost.infra4future.de" = {
|
||
|
locations."/" = {
|
||
|
proxyPass = "http://${config.containers.mattermost.localAddress}:3000";
|
||
|
proxyWebsockets = true;
|
||
|
extraConfig = ''
|
||
|
# Mattermost CSR Patch
|
||
|
proxy_hide_header Content-Security-Policy;
|
||
|
proxy_hide_header X-Frame-Options;
|
||
|
proxy_redirect off;
|
||
|
'';
|
||
|
};
|
||
|
forceSSL = true;
|
||
|
enableACME = true;
|
||
|
};
|
||
|
}
|