diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index e879b4c..dfd7b0f 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -2,13 +2,14 @@ { imports = [ - ../../common + ../../common ./hardware.nix modules.encboot modules.network.nftables modules.nftnat ((import sources.nix-hexchen) {}).profiles.nopersist ../../services/nextcloud + ../../services/mattermost.nix ]; hexchen.encboot = { diff --git a/modules/mattermost.nix b/modules/mattermost.nix index 0d35f08..de6ca00 100644 --- a/modules/mattermost.nix +++ b/modules/mattermost.nix @@ -16,8 +16,6 @@ let [ { ServiceSettings.SiteURL = cfg.siteUrl; ServiceSettings.ListenAddress = cfg.listenAddress; TeamSettings.SiteName = cfg.siteName; - SqlSettings.DriverName = "postgres"; - SqlSettings.DataSource = database; } cfg.extraConfig ]; diff --git a/nix/sources.json b/nix/sources.json index b9026e0..0ae1fe7 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -11,10 +11,10 @@ "homepage": "https://nix-community.github.io/home-manager/", "owner": "nix-community", "repo": "home-manager", - "rev": "9c0abed5228d54aad120b4bc757b6f5935aeda1c", - "sha256": "05pfa26p9k1gpir9sniwg195cqqc9v6yp9b5f9hrjhlh3jm14bgq", + "rev": "b39647e52ed3c0b989e9d5c965e598ae4c38d7ef", + "sha256": "0xw1vgwfdn75rgamcsi5j1iqfl0j06x8xp92k24wr9hayfr5m400", "type": "tarball", - "url": "https://github.com/nix-community/home-manager/archive/9c0abed5228d54aad120b4bc757b6f5935aeda1c.tar.gz", + "url": "https://github.com/nix-community/home-manager/archive/b39647e52ed3c0b989e9d5c965e598ae4c38d7ef.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "mattermost-server": { @@ -23,7 +23,7 @@ "homepage": "https://mattermost.com", "owner": "mattermost", "repo": "mattermost-server", - "rev": "37b1e6d048fc8302c727c3bc7ce73ac32c2ba93c", + "rev": "a5463c865195d0f286de63d57782ef997c270e93", "sha256": "1k0jn3a9nafbhvwn0d0rc2pj80mx7iz2scjbqkz96c5yzw3lyj79", "type": "tarball", "url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.0.tar.gz", @@ -80,10 +80,10 @@ "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "382039c05a16827a7f0731183e862366b66b422f", - "sha256": "08mvanp4400zfz1knyxsjhkc7ryjlaa9awcg763ghj235wk6mlld", + "rev": "d4590d21006387dcb190c516724cb1e41c0f8fdf", + "sha256": "17q39hlx1x87xf2rdygyimj8whdbx33nzszf4rxkc6b85wz0l38n", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/382039c05a16827a7f0731183e862366b66b422f.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/d4590d21006387dcb190c516724cb1e41c0f8fdf.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs-unstable": { @@ -92,10 +92,10 @@ "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "8ecc61c91a596df7d3293603a9c2384190c1b89a", - "sha256": "0vhajylsmipjkm5v44n2h0pglcmpvk4mkyvxp7qfvkjdxw21dyml", + "rev": "c464dc811babfe316ed4ab7bbc12351122e69dd7", + "sha256": "0aij4q6pc99xjqh0inv6z74wiqfdgxnbg7jli6gnjqxg2lcirrc2", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/8ecc61c91a596df7d3293603a9c2384190c1b89a.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/c464dc811babfe316ed4ab7bbc12351122e69dd7.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "pbb-nixfiles": { diff --git a/services/mattermost.nix b/services/mattermost.nix new file mode 100644 index 0000000..8a554e7 --- /dev/null +++ b/services/mattermost.nix @@ -0,0 +1,241 @@ +{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}: + +{ + containers.mattermost = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.3"; + + bindMounts = { + "/persist" = { + hostPath = "/persist/containers/mattermost"; + isReadOnly = false; + }; + }; + + path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: { + boot.isContainer = true; + networking.useDHCP = false; + users.users.root.hashedPassword = ""; + + imports = [ + ../modules/mattermost.nix + ((import sources.nix-hexchen) {}).profiles.nopersist + ]; + + nixpkgs.config.allowUnfree = true; + networking.firewall.enable = false; + networking.defaultGateway = { + address = "192.168.100.1"; + interface = "eth0"; + }; + + # couldn't figure out how to actually overwrite modules, so now + # there's two mattermost modules ... + services.mattermost-patched = { + enable = true; + siteUrl = "https://mattermost.infra4future.de"; + siteName = "Mattermost - Blabla for Future"; + listenAddress = "0.0.0.0:3000"; + mutableConfig = false; + + secretConfig = "/persist/mattermost/secrets.json"; + statePath = "/persist/mattermost"; + + extraConfig = { + ServiceSettings = { + TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ]; + ReadTimeout = 300; + WriteTimeout = 600; + IdleTimeout = 60; + MaximumLoginAttempts = 10; + AllowCorsFrom = "*.infra4future.de/*"; + WebserverMode = "gzip"; + EnableCustomEmoji = true; + EnableEmojiPicker = true; + EnableGifPicker = false; + RestrictCustomEmojiCreation = "all"; + RestrictPostDelete = "all"; + AllowEditPost = "always"; + PostEditTimeout = -1; + EnableTutorial = false; + ExperimentalChannelSidebarOrganization = "default_on"; + ExperimentalChannelOrganization = true; + ExperimentalDataPrefetch = true; + EnableEmailInvitations = true; + DisableLegacyMFA = true; + EnableSVGs = true; + EnableLaTeX = true; + ThreadAutoFollow = true; + EnableSecurityFixAlert = false; + }; + TeamSettings = { + EnableTeamCreation = true; + EnableUserCreation = true; + EnableOpenServer = false; + EnableUserDeactivation = true; + ExperimentalViewArchivedChannels = true; + ExperimentalEnableAutomaticReplies = true; + }; + LogSettings = { + EnableConsole = true; + ConsoleLevel = "ERROR"; + EnableDiagnostics = false; + EnableWebhookDebugging = false; + }; + NotificationLogSettings = { + EnableConsole = true; + ConsoleLevel = "INFO"; + }; + PasswordSettings = { + MinimumLength = 10; + # turn of all the bullshit requirements + Lowercase = false; + Number = false; + Uppercase = false; + Symbol = false; + }; + FileSettings = { + EnableFileAttachments = true; + MaxFileSize = 52428800; + DriverName = "local"; + Directory = "/persist/mattermost/upload-storage"; + EnablePublicLink = true; + PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu"; + }; + EmailSettings = { + EnableSignUpWithEmail = false; + EnableSignInWithEmail = false; + EnableSignInWithUsername = false; + SendEmailNotifications = true; + FeedbackName = "mattermost"; + FeedbackEmail = "mattermost@infra4future.de"; + ReplyToAddress = "mattermost@infra4future.de"; + FeedbackOrganization = "∆infra4future.de"; + EnableSMTPAuth = true; + SMTPUsername = "noreply@infra4future.de"; + SMTPServer = "mail.hacc.space"; + }; + RateLimitSettings.Enable = false; + PrivacySettings = { + ShowEmailAddress = false; + ShowFullName = true; + }; + SupportSettings = { + TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html"; + PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html"; + AboutLink = "https://infra4future.de"; + SupportEmail = "info@infra4future.de"; + CustomTermsOfServiceEnabled = false; + EnableAskCommunityLink = true; + }; + AnnouncementSettings.EnableBanner = false; + GitLabSettings = { + Enable = true; + Id = "mattermost"; + Scope = ""; + AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth"; + TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token"; + UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo"; + }; + # for some reason, these don't appear to be working; the startup + # process complaines and sets these back to en + LocalizationSettings = { + DefaultServerLocale = "de"; + DefaultClientLocale = "de"; + AvailableLocales = "de,en"; + }; + MessageExportSettings.EnableExport = false; + # plugins appear to have trouble with the read-only filesystem; it may + # be necessary to manually change their paths etc. + PluginSettings = { + Enable = true; + EnableUploads = true; + Plugins = { + bigbluebutton = { + adminonly = false; + base_url = "https://bbb.infra4future.de/bigbluebutton/api"; + salt = "zKCsNeaEniC115ynHOsZopgA4iTiJjzgeiPNoCEc"; + }; + "com.github.matterpoll.matterpoll" = { + experimentalui = true; + trigger = "poll"; + }; + }; + PluginStates = { + bigbluebutton.Enable = true; + "com.github.matterpoll.matterpoll".Enable = true; + }; + }; + ComplianceSettings.Enable = false; + ClusterSettings.Enable = false; + MetricsSettings.Enable = false; + GuestAccountsSettings.Enable = false; + # this is just the general allow-this-at-all switch; users + # still have to turn it on for themselves + FeatureFlags.CollapsedThreads = true; + }; + + # turn of the weirder parts of this module (which insist on passwords + # in nix files, instead of just using socket-based authentication) + # + # It will still attempt to use its default password, but postgres will + # just let it in regardless of that. + localDatabaseCreate = false; + }; + + services.mysql = { + enable = true; + ensureDatabases = [ "mattermost" ]; + ensureUsers = [ { + name = "mattermost"; + ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; }; + } ]; + package = pkgs.mysql80; + dataDir = "/persist/mysql"; + }; + + services.postgresql = { + enable = lib.mkForce true; # mattermost sets this to false. wtf. + ensureDatabases = [ "mattermost" ]; + ensureUsers = [ { + name = "mattermost"; + ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; }; + } ]; + + authentication = lib.mkForce '' + # Generated file; do not edit! + local all all trust + host mattermost mattermost ::1/128 trust + ''; + }; + + networking.firewall.allowedTCPPorts = [ 3000 ]; + + services.coredns = { + enable = true; + config = '' + .:53 { + forward . 1.1.1.1 + } + ''; + }; + })).config.system.build.toplevel; + }; + + services.nginx.virtualHosts."mattermost.infra4future.de" = { + locations."/" = { + proxyPass = "http://${config.containers.mattermost.localAddress}:3000"; + proxyWebsockets = true; + extraConfig = '' + # Mattermost CSR Patch + proxy_hide_header Content-Security-Policy; + proxy_hide_header X-Frame-Options; + proxy_redirect off; + ''; + }; + forceSSL = true; + enableACME = true; + }; +}