From d933a6ef982ccee068d92d9059ae3e32154890f8 Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Wed, 8 May 2024 13:51:52 +0200
Subject: [PATCH] s4f-conference: another mattermost

this one's not connected to our SSO and intended for short-term use
only, after which it will be deleted again.

I've gone through at least some of mattermost's options to see how many
of these are actually relevant anymore. Some can be left out.

Unlike the other mattermost it also doesn't use any mysql.
---
 parsons/configuration.nix  |   1 +
 parsons/s4f-conference.nix | 134 +++++++++++++++++++++++++++++++++++++
 secrets.yaml               |   6 +-
 3 files changed, 139 insertions(+), 2 deletions(-)
 create mode 100644 parsons/s4f-conference.nix

diff --git a/parsons/configuration.nix b/parsons/configuration.nix
index e7db340..1d047ca 100644
--- a/parsons/configuration.nix
+++ b/parsons/configuration.nix
@@ -20,6 +20,7 @@
     ./uffd.nix
     ./lxc.nix
     ./monit.nix
+    ./s4f-conference.nix
   ];
 
   hacc.bindToPersist = [ "/var/lib/acme" ];
diff --git a/parsons/s4f-conference.nix b/parsons/s4f-conference.nix
new file mode 100644
index 0000000..2d95021
--- /dev/null
+++ b/parsons/s4f-conference.nix
@@ -0,0 +1,134 @@
+{ config, lib, pkgs, ... }:
+
+{
+  sops.secrets = {
+    "s4f-conference/env" = {};
+  };
+
+  hacc.containers.s4f-conference = {
+    bindSecrets = true;
+
+    config = { config, lib, pkgs, ... }: {
+      systemd.services.mattermost.serviceConfig.EnvironmentFile =
+        lib.mkForce "/secrets/env";
+
+      services.mattermost = {
+        enable = true;
+        siteUrl = "https://s4f-conference.infra4future.de";
+        siteName = "Scientists for Future Chat";
+        listenAddress = "0.0.0.0:3000";
+        mutableConfig = false;
+
+        statePath = "/persist/mattermost";
+
+        extraConfig = {
+          ServiceSettings = {
+            TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
+            EnableEmailInvitations = true;
+          };
+          TeamSettings = {
+            EnableUserCreation = true;
+            EnableUserDeactivation = true;
+            EnableOpenServer = false;
+          };
+          PasswordSettings = {
+            MinimumLength = 10;
+          };
+          FileSettings = {
+            EnableFileAttachments = true;
+            MaxFileSize = 52428800;
+            DriverName = "local";
+            Directory = "/persist/upload-storage";
+            EnablePublicLink = true;
+            PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
+          };
+          EmailSettings = {
+            EnableSignUpWithEmail = true;
+            EnableSignInWithEmail = true;
+            EnableSignInWithUsername = true;
+            SendEmailNotifications = true;
+            FeedbackName = "mattermost";
+            FeedbackEmail = "mattermost@infra4future.de";
+            ReplyToAddress = "mattermost@infra4future.de";
+            FeedbackOrganization = "∆infra4future.de";
+            EnableSMTPAuth = true;
+            SMTPUsername = "noreply@infra4future.de";
+            SMTPServer = "mail.hacc.space";
+            SMTPPort = "465";
+            SMTPServerTimeout = 10;
+            ConnectionSecurity = "TLS";
+          };
+          RateLimitSettings.Enable = false;
+          PrivacySettings = {
+            ShowEmailAddress = false;
+            ShowFullName = true;
+          };
+          # to disable the extra landing page advertising the app
+          NativeAppSettings = {
+            AppDownloadLink = "";
+            AndroidAppDownloadLink = "";
+            IosAppDownloadLink = "";
+          };
+          LogSettings = {
+            EnableConsole = true;
+            ConsoleLevel = "ERROR";
+            EnableDiagnostics = false;
+            EnableWebhookDebugging = false;
+          };
+          SupportSettings = {
+            TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
+            PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
+            AboutLink = "https://infra4future.de";
+            SupportEmail = "info@infra4future.de";
+            CustomTermsOfServiceEnabled = false;
+            EnableAskCommunityLink = true;
+          };
+          AnnouncementSettings.EnableBanner = false;
+          ComplianceSettings.Enable = false;
+          ClusterSettings.Enable = false;
+          MetricsSettings.Enable = false;
+          GuestAccountsSettings.Enable = true;
+        };
+
+        localDatabaseCreate = false;
+      };
+
+      services.postgresql = {
+        enable = lib.mkForce true; # mattermost sets this to false. wtf.
+        package = pkgs.postgresql_15;
+        ensureDatabases = [ "mattermost" ];
+        ensureUsers = [ {
+          name = "mattermost";
+          ensureDBOwnership = true;
+        } ];
+
+        authentication = lib.mkForce ''
+          # Generated file; do not edit!
+          local all all              trust
+          host  mattermost mattermost ::1/128      trust
+        '';
+      };
+      services.postgresqlBackup = {
+        enable = true;
+        databases = [ "mattermost" ];
+        startAt = "*-*-* 23:45:00";
+        location = "/persist/backups/postgres";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."s4f-conference.infra4future.de" = {
+    locations."/" = {
+      proxyPass = "http://${config.containers.s4f-conference.localAddress}:3000";
+      proxyWebsockets = true;
+      extraConfig = ''
+        # Mattermost CSR Patch
+        proxy_hide_header Content-Security-Policy;
+        proxy_hide_header X-Frame-Options;
+        proxy_redirect off;
+      '';
+    };
+    forceSSL = true;
+    enableACME = true;
+  };
+}
diff --git a/secrets.yaml b/secrets.yaml
index 6009879..f5234a7 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -11,6 +11,8 @@ auamost:
 restic:
     s3creds.env: ENC[AES256_GCM,data:9WNu5S4KmdMXdshSpawEjIexAKH6vZCPwb9xyq6xmerly1lxSfFZzgg60M0L3L+I4joLTVi23YBB8Eh6Xfx9GgxNww7w7BjMCQs/X16ecDWlb346TKf+,iv:Gu4CbXXJAlQYXRqOjIAUYmn8EU4mrvcOVc2eCh1Ikzs=,tag:1xpVIonHiAGHsXTY9liPQQ==,type:str]
     system: ENC[AES256_GCM,data:RIgO0QHVjwp2D3LoU62vLzepASdsXxu0DqUTA6Voa3K1d4xFHX2u+UR8AcqR,iv:O0K8i5ivne7WU+ygDEUcrvKW6DIfXjVPY63gpfsxEFE=,tag:n/1atQ5qlyB0SMHrYiTCrA==,type:str]
+s4f-conference:
+    env: ENC[AES256_GCM,data:e4Fuurb37YQvracqLA8Z1VQL5MpiARE35NKCNdLgyxyVNRm6zSATwyH8DvkST8zuYadAv9wOwjv5q9Xlv7CWBFPyMMjkrHPZORJI,iv:36EGmqqIpeNWylinu902MFU3MZf6sPRWvUrSl5usxHI=,tag:XxoTdq10zgr6xtMn4TYDOA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -98,8 +100,8 @@ sops:
             bndBTXJhQVE2OVlKeGNTbzJlL0duUzAKIWdesesYvBIN/m36fhzxq30+IT8qp/pF
             S6i7QqZF75y2BpEoupRCqNIAsHrouUE+U9ZQJZO8m9J591mWvbVJIw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-01T01:20:25Z"
-    mac: ENC[AES256_GCM,data:2fVIskFTMl1jefsa3A9fbBBUBK3Ni9XpUjLbwgewEUEKDhwzHY7vjlauzEVtcFJhYkorG/I/0YkPE6PjHta8Qk4mAOfXeVeLDrwH0dmIoPxw+J4kCgRNgNGdhkvmSUBQKwmhfvG3owZnGvq6JfcKZW8HodXyZ+GQQNknGzoX1wQ=,iv:fIXw7lsLwMHsNpZyv9nil7pdXrYNm18UV87KY0Z2zJ4=,tag:L/zymgljJWopKN1q7rpPhg==,type:str]
+    lastmodified: "2024-05-08T11:06:26Z"
+    mac: ENC[AES256_GCM,data:H18GHY66eYI8BfJNd1ybzTgrPoq+lGnSp1f+65/+cOOndgyzo9/XwgToB3tMMyJFIXbQ0li9zYIb0TMldSYsaXI1AixPqRh8UXwM5x7OBZCi3DFA+SLKhslO88Lw3abZ9IEkZgrnNjeLKKXxgZwPHEpmlkOS38rDYTFCToK5JVI=,iv:TKaay3eFIDGr++8F500n45BISH6LnhWQ1+x18HiXZD8=,tag:Zecr/XH6NfP8tOj4T9Fmqg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1