forked from hacc/haccfiles
get rid of mattermost-patched module
this does a couple things: - redo mattermost's secret config as an env file passed to systemd - get rid of modules/mattermost.nix and use upstream module instead - move some of the stuff in secret.json which don't need to be there into nix (e.g. smtp port) Also, I set the log level to ERROR in the env file. Mattermost doesn't seem to respect it otherwise *shrug*
This commit is contained in:
parent
714a8e5d73
commit
52f9f2d64c
2 changed files with 9 additions and 254 deletions
|
@ -1,251 +0,0 @@
|
||||||
{ config, pkgs, lib, ... }:
|
|
||||||
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let
|
|
||||||
|
|
||||||
cfg = config.services.mattermost-patched;
|
|
||||||
|
|
||||||
database = "postgres://${cfg.localDatabaseUser}:${cfg.localDatabasePassword}@localhost:5432/${cfg.localDatabaseName}?sslmode=disable&connect_timeout=10";
|
|
||||||
|
|
||||||
mattermostConf = foldl recursiveUpdate {}
|
|
||||||
[ { ServiceSettings.SiteURL = cfg.siteUrl;
|
|
||||||
ServiceSettings.ListenAddress = cfg.listenAddress;
|
|
||||||
TeamSettings.SiteName = cfg.siteName;
|
|
||||||
}
|
|
||||||
cfg.extraConfig
|
|
||||||
];
|
|
||||||
|
|
||||||
mattermostConfJSON = pkgs.writeText "mattermost-config-raw.json" (builtins.toJSON mattermostConf);
|
|
||||||
|
|
||||||
in
|
|
||||||
|
|
||||||
{
|
|
||||||
options = {
|
|
||||||
services.mattermost-patched = {
|
|
||||||
enable = mkEnableOption "Mattermost chat server";
|
|
||||||
|
|
||||||
statePath = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "/var/lib/mattermost";
|
|
||||||
description = "Mattermost working directory";
|
|
||||||
};
|
|
||||||
|
|
||||||
siteUrl = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
example = "https://chat.example.com";
|
|
||||||
description = ''
|
|
||||||
URL this Mattermost instance is reachable under, without trailing slash.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
siteName = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "Mattermost";
|
|
||||||
description = "Name of this Mattermost site.";
|
|
||||||
};
|
|
||||||
|
|
||||||
listenAddress = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = ":8065";
|
|
||||||
example = "[::1]:8065";
|
|
||||||
description = ''
|
|
||||||
Address and port this Mattermost instance listens to.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
mutableConfig = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = ''
|
|
||||||
Whether the Mattermost config.json is writeable by Mattermost.
|
|
||||||
|
|
||||||
Most of the settings can be edited in the system console of
|
|
||||||
Mattermost if this option is enabled. A template config using
|
|
||||||
the options specified in services.mattermost will be generated
|
|
||||||
but won't be overwritten on changes or rebuilds.
|
|
||||||
|
|
||||||
If this option is disabled, changes in the system console won't
|
|
||||||
be possible (default). If an config.json is present, it will be
|
|
||||||
overwritten!
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
extraConfig = mkOption {
|
|
||||||
type = types.attrs;
|
|
||||||
default = { };
|
|
||||||
description = ''
|
|
||||||
Addtional configuration options as Nix attribute set in config.json schema.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
secretConfig = mkOption {
|
|
||||||
type = types.nullOr types.str;
|
|
||||||
default = null;
|
|
||||||
description = ''
|
|
||||||
Path to a json file containing secret config values, which should
|
|
||||||
not be written into the Nix store. If it is not null (the default)
|
|
||||||
and mutableConfig is set to false, then the mattermost service will
|
|
||||||
join the file at this path into its config.
|
|
||||||
|
|
||||||
Note that this file cannot be used to overwrite values already
|
|
||||||
specified by the other options of this module.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
localDatabaseCreate = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = ''
|
|
||||||
Create a local PostgreSQL database for Mattermost automatically.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
localDatabaseName = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "mattermost";
|
|
||||||
description = ''
|
|
||||||
Local Mattermost database name.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
localDatabaseUser = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "mattermost";
|
|
||||||
description = ''
|
|
||||||
Local Mattermost database username.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
localDatabasePassword = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "mmpgsecret";
|
|
||||||
description = ''
|
|
||||||
Password for local Mattermost database user.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
user = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "mattermost";
|
|
||||||
description = ''
|
|
||||||
User which runs the Mattermost service.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
group = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "mattermost";
|
|
||||||
description = ''
|
|
||||||
Group which runs the Mattermost service.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
matterircd = {
|
|
||||||
enable = mkEnableOption "Mattermost IRC bridge";
|
|
||||||
parameters = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ ];
|
|
||||||
example = [ "-mmserver chat.example.com" "-bind [::]:6667" ];
|
|
||||||
description = ''
|
|
||||||
Set commandline parameters to pass to matterircd. See
|
|
||||||
https://github.com/42wim/matterircd#usage for more information.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkMerge [
|
|
||||||
(mkIf cfg.enable {
|
|
||||||
users.users = optionalAttrs (cfg.user == "mattermost") {
|
|
||||||
mattermost = {
|
|
||||||
group = cfg.group;
|
|
||||||
uid = config.ids.uids.mattermost;
|
|
||||||
home = cfg.statePath;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
users.groups = optionalAttrs (cfg.group == "mattermost") {
|
|
||||||
mattermost.gid = config.ids.gids.mattermost;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.postgresql.enable = cfg.localDatabaseCreate;
|
|
||||||
|
|
||||||
# The systemd service will fail to execute the preStart hook
|
|
||||||
# if the WorkingDirectory does not exist
|
|
||||||
system.activationScripts.mattermost = ''
|
|
||||||
mkdir -p ${cfg.statePath}
|
|
||||||
'';
|
|
||||||
|
|
||||||
systemd.services.mattermost = {
|
|
||||||
description = "Mattermost chat service";
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
after = [ "network.target" "postgresql.service" ];
|
|
||||||
|
|
||||||
preStart = ''
|
|
||||||
mkdir -p ${cfg.statePath}/{data,config,logs}
|
|
||||||
ln -sf ${pkgs.mattermost}/{bin,fonts,i18n,templates,client} ${cfg.statePath}
|
|
||||||
'' + lib.optionalString (!cfg.mutableConfig) ''
|
|
||||||
rm -f ${cfg.statePath}/config/config.json
|
|
||||||
'' + (if cfg.secretConfig == null
|
|
||||||
then ''
|
|
||||||
cp ${mattermostConfJSON} ${cfg.statePath}/config/config.json
|
|
||||||
''
|
|
||||||
else ''
|
|
||||||
${pkgs.jq}/bin/jq -s ".[1] * .[0]" ${cfg.secretConfig} ${mattermostConfJSON} > ${cfg.statePath}/config/config.json
|
|
||||||
'')
|
|
||||||
+ ''
|
|
||||||
${pkgs.mattermost}/bin/mattermost config migrate ${cfg.statePath}/config/config.json ${database}
|
|
||||||
'' + lib.optionalString cfg.mutableConfig ''
|
|
||||||
if ! test -e "${cfg.statePath}/config/.initial-created"; then
|
|
||||||
rm -f ${cfg.statePath}/config/config.json
|
|
||||||
cp ${mattermostConfJSON} ${cfg.statePath}/config/config.json
|
|
||||||
touch ${cfg.statePath}/config/.initial-created
|
|
||||||
fi
|
|
||||||
'' + lib.optionalString cfg.localDatabaseCreate ''
|
|
||||||
if ! test -e "${cfg.statePath}/.db-created"; then
|
|
||||||
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} \
|
|
||||||
${config.services.postgresql.package}/bin/psql postgres -c \
|
|
||||||
"CREATE ROLE ${cfg.localDatabaseUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${cfg.localDatabasePassword}'"
|
|
||||||
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} \
|
|
||||||
${config.services.postgresql.package}/bin/createdb \
|
|
||||||
--owner ${cfg.localDatabaseUser} ${cfg.localDatabaseName}
|
|
||||||
touch ${cfg.statePath}/.db-created
|
|
||||||
fi
|
|
||||||
'' + ''
|
|
||||||
chown ${cfg.user}:${cfg.group} -R ${cfg.statePath}
|
|
||||||
chmod u+rw,g+r,o-rwx -R ${cfg.statePath}
|
|
||||||
'';
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
PermissionsStartOnly = true;
|
|
||||||
User = cfg.user;
|
|
||||||
Group = cfg.group;
|
|
||||||
ExecStart = "${pkgs.mattermost}/bin/mattermost" +
|
|
||||||
(if cfg.mutableConfig then " -c ${database}" else " -c ${cfg.statePath}/config/config.json");
|
|
||||||
WorkingDirectory = "${cfg.statePath}";
|
|
||||||
Restart = "always";
|
|
||||||
RestartSec = "10";
|
|
||||||
LimitNOFILE = "49152";
|
|
||||||
};
|
|
||||||
unitConfig.JoinsNamespaceOf = mkIf cfg.localDatabaseCreate "postgresql.service";
|
|
||||||
};
|
|
||||||
})
|
|
||||||
(mkIf cfg.matterircd.enable {
|
|
||||||
systemd.services.matterircd = {
|
|
||||||
description = "Mattermost IRC bridge service";
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
serviceConfig = {
|
|
||||||
User = "nobody";
|
|
||||||
Group = "nogroup";
|
|
||||||
ExecStart = "${pkgs.matterircd}/bin/matterircd ${concatStringsSep " " cfg.matterircd.parameters}";
|
|
||||||
WorkingDirectory = "/tmp";
|
|
||||||
PrivateTmp = true;
|
|
||||||
Restart = "always";
|
|
||||||
RestartSec = "5";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
})
|
|
||||||
];
|
|
||||||
}
|
|
|
@ -22,7 +22,6 @@ in {
|
||||||
users.users.root.hashedPassword = "";
|
users.users.root.hashedPassword = "";
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
../modules/mattermost.nix
|
|
||||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -35,16 +34,18 @@ in {
|
||||||
interface = "eth0";
|
interface = "eth0";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.mattermost.serviceConfig.EnvironmentFile =
|
||||||
|
"/persist/mattermost/secrets.env";
|
||||||
|
|
||||||
# couldn't figure out how to actually overwrite modules, so now
|
# couldn't figure out how to actually overwrite modules, so now
|
||||||
# there's two mattermost modules ...
|
# there's two mattermost modules ...
|
||||||
services.mattermost-patched = {
|
services.mattermost = {
|
||||||
enable = true;
|
enable = true;
|
||||||
siteUrl = "https://mattermost.infra4future.de";
|
siteUrl = "https://mattermost.infra4future.de";
|
||||||
siteName = "Mattermost for Future";
|
siteName = "Mattermost for Future";
|
||||||
listenAddress = "0.0.0.0:3000";
|
listenAddress = "0.0.0.0:3000";
|
||||||
mutableConfig = false;
|
mutableConfig = false;
|
||||||
|
|
||||||
secretConfig = "/persist/mattermost/secrets.json";
|
|
||||||
statePath = "/persist/mattermost";
|
statePath = "/persist/mattermost";
|
||||||
|
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
|
@ -86,6 +87,8 @@ in {
|
||||||
};
|
};
|
||||||
LogSettings = {
|
LogSettings = {
|
||||||
EnableConsole = true;
|
EnableConsole = true;
|
||||||
|
# note: for some reason this doesn't work (mattermost still sets it to DEBUG);
|
||||||
|
# it's also set in secrets.env, where for some reason it does
|
||||||
ConsoleLevel = "ERROR";
|
ConsoleLevel = "ERROR";
|
||||||
EnableDiagnostics = false;
|
EnableDiagnostics = false;
|
||||||
EnableWebhookDebugging = false;
|
EnableWebhookDebugging = false;
|
||||||
|
@ -122,6 +125,9 @@ in {
|
||||||
EnableSMTPAuth = true;
|
EnableSMTPAuth = true;
|
||||||
SMTPUsername = "noreply@infra4future.de";
|
SMTPUsername = "noreply@infra4future.de";
|
||||||
SMTPServer = "mail.hacc.space";
|
SMTPServer = "mail.hacc.space";
|
||||||
|
SMTPPort = 465;
|
||||||
|
SMTPServerTimeout = 10;
|
||||||
|
ConnectionSecurity = "TLS";
|
||||||
};
|
};
|
||||||
RateLimitSettings.Enable = false;
|
RateLimitSettings.Enable = false;
|
||||||
PrivacySettings = {
|
PrivacySettings = {
|
||||||
|
|
Loading…
Reference in a new issue