diff --git a/parsons/configuration.nix b/parsons/configuration.nix index e7db340..1d047ca 100644 --- a/parsons/configuration.nix +++ b/parsons/configuration.nix @@ -20,6 +20,7 @@ ./uffd.nix ./lxc.nix ./monit.nix + ./s4f-conference.nix ]; hacc.bindToPersist = [ "/var/lib/acme" ]; diff --git a/parsons/s4f-conference.nix b/parsons/s4f-conference.nix new file mode 100644 index 0000000..2d95021 --- /dev/null +++ b/parsons/s4f-conference.nix @@ -0,0 +1,134 @@ +{ config, lib, pkgs, ... }: + +{ + sops.secrets = { + "s4f-conference/env" = {}; + }; + + hacc.containers.s4f-conference = { + bindSecrets = true; + + config = { config, lib, pkgs, ... }: { + systemd.services.mattermost.serviceConfig.EnvironmentFile = + lib.mkForce "/secrets/env"; + + services.mattermost = { + enable = true; + siteUrl = "https://s4f-conference.infra4future.de"; + siteName = "Scientists for Future Chat"; + listenAddress = "0.0.0.0:3000"; + mutableConfig = false; + + statePath = "/persist/mattermost"; + + extraConfig = { + ServiceSettings = { + TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ]; + EnableEmailInvitations = true; + }; + TeamSettings = { + EnableUserCreation = true; + EnableUserDeactivation = true; + EnableOpenServer = false; + }; + PasswordSettings = { + MinimumLength = 10; + }; + FileSettings = { + EnableFileAttachments = true; + MaxFileSize = 52428800; + DriverName = "local"; + Directory = "/persist/upload-storage"; + EnablePublicLink = true; + PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu"; + }; + EmailSettings = { + EnableSignUpWithEmail = true; + EnableSignInWithEmail = true; + EnableSignInWithUsername = true; + SendEmailNotifications = true; + FeedbackName = "mattermost"; + FeedbackEmail = "mattermost@infra4future.de"; + ReplyToAddress = "mattermost@infra4future.de"; + FeedbackOrganization = "∆infra4future.de"; + EnableSMTPAuth = true; + SMTPUsername = "noreply@infra4future.de"; + SMTPServer = "mail.hacc.space"; + SMTPPort = "465"; + SMTPServerTimeout = 10; + ConnectionSecurity = "TLS"; + }; + RateLimitSettings.Enable = false; + PrivacySettings = { + ShowEmailAddress = false; + ShowFullName = true; + }; + # to disable the extra landing page advertising the app + NativeAppSettings = { + AppDownloadLink = ""; + AndroidAppDownloadLink = ""; + IosAppDownloadLink = ""; + }; + LogSettings = { + EnableConsole = true; + ConsoleLevel = "ERROR"; + EnableDiagnostics = false; + EnableWebhookDebugging = false; + }; + SupportSettings = { + TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html"; + PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html"; + AboutLink = "https://infra4future.de"; + SupportEmail = "info@infra4future.de"; + CustomTermsOfServiceEnabled = false; + EnableAskCommunityLink = true; + }; + AnnouncementSettings.EnableBanner = false; + ComplianceSettings.Enable = false; + ClusterSettings.Enable = false; + MetricsSettings.Enable = false; + GuestAccountsSettings.Enable = true; + }; + + localDatabaseCreate = false; + }; + + services.postgresql = { + enable = lib.mkForce true; # mattermost sets this to false. wtf. + package = pkgs.postgresql_15; + ensureDatabases = [ "mattermost" ]; + ensureUsers = [ { + name = "mattermost"; + ensureDBOwnership = true; + } ]; + + authentication = lib.mkForce '' + # Generated file; do not edit! + local all all trust + host mattermost mattermost ::1/128 trust + ''; + }; + services.postgresqlBackup = { + enable = true; + databases = [ "mattermost" ]; + startAt = "*-*-* 23:45:00"; + location = "/persist/backups/postgres"; + }; + }; + }; + + services.nginx.virtualHosts."s4f-conference.infra4future.de" = { + locations."/" = { + proxyPass = "http://${config.containers.s4f-conference.localAddress}:3000"; + proxyWebsockets = true; + extraConfig = '' + # Mattermost CSR Patch + proxy_hide_header Content-Security-Policy; + proxy_hide_header X-Frame-Options; + proxy_redirect off; + ''; + }; + forceSSL = true; + enableACME = true; + }; +} diff --git a/secrets.yaml b/secrets.yaml index 6009879..f5234a7 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -11,6 +11,8 @@ auamost: restic: s3creds.env: ENC[AES256_GCM,data:9WNu5S4KmdMXdshSpawEjIexAKH6vZCPwb9xyq6xmerly1lxSfFZzgg60M0L3L+I4joLTVi23YBB8Eh6Xfx9GgxNww7w7BjMCQs/X16ecDWlb346TKf+,iv:Gu4CbXXJAlQYXRqOjIAUYmn8EU4mrvcOVc2eCh1Ikzs=,tag:1xpVIonHiAGHsXTY9liPQQ==,type:str] system: ENC[AES256_GCM,data:RIgO0QHVjwp2D3LoU62vLzepASdsXxu0DqUTA6Voa3K1d4xFHX2u+UR8AcqR,iv:O0K8i5ivne7WU+ygDEUcrvKW6DIfXjVPY63gpfsxEFE=,tag:n/1atQ5qlyB0SMHrYiTCrA==,type:str] +s4f-conference: + env: ENC[AES256_GCM,data:e4Fuurb37YQvracqLA8Z1VQL5MpiARE35NKCNdLgyxyVNRm6zSATwyH8DvkST8zuYadAv9wOwjv5q9Xlv7CWBFPyMMjkrHPZORJI,iv:36EGmqqIpeNWylinu902MFU3MZf6sPRWvUrSl5usxHI=,tag:XxoTdq10zgr6xtMn4TYDOA==,type:str] sops: kms: [] gcp_kms: [] @@ -98,8 +100,8 @@ sops: bndBTXJhQVE2OVlKeGNTbzJlL0duUzAKIWdesesYvBIN/m36fhzxq30+IT8qp/pF S6i7QqZF75y2BpEoupRCqNIAsHrouUE+U9ZQJZO8m9J591mWvbVJIw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-01T01:20:25Z" - mac: ENC[AES256_GCM,data:2fVIskFTMl1jefsa3A9fbBBUBK3Ni9XpUjLbwgewEUEKDhwzHY7vjlauzEVtcFJhYkorG/I/0YkPE6PjHta8Qk4mAOfXeVeLDrwH0dmIoPxw+J4kCgRNgNGdhkvmSUBQKwmhfvG3owZnGvq6JfcKZW8HodXyZ+GQQNknGzoX1wQ=,iv:fIXw7lsLwMHsNpZyv9nil7pdXrYNm18UV87KY0Z2zJ4=,tag:L/zymgljJWopKN1q7rpPhg==,type:str] + lastmodified: "2024-05-08T11:06:26Z" + mac: ENC[AES256_GCM,data:H18GHY66eYI8BfJNd1ybzTgrPoq+lGnSp1f+65/+cOOndgyzo9/XwgToB3tMMyJFIXbQ0li9zYIb0TMldSYsaXI1AixPqRh8UXwM5x7OBZCi3DFA+SLKhslO88Lw3abZ9IEkZgrnNjeLKKXxgZwPHEpmlkOS38rDYTFCToK5JVI=,iv:TKaay3eFIDGr++8F500n45BISH6LnhWQ1+x18HiXZD8=,tag:Zecr/XH6NfP8tOj4T9Fmqg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1