forked from hacc/haccfiles
stuebinm
69f5448aa3
Among other things, this contains the "collapsable reply threads" feature which makes it behave similar to slack. Also, after spending thirty minutes or so attempting to teach niv that it should really only fetch the tag "5.37.0" from the mattermost-server repository and not any other commit, branch, or similar (there is a "release-5.37" branch, but that seems to be for active development), I have temporarily given up on it and typed in the urls manually. Unfortunately, this means that any kind of `niv update` will now break things. If anyone knows how to use niv correctly for this please patch this; otherwise I guess we can extract mattermost out from niv again.
218 lines
7.6 KiB
Nix
218 lines
7.6 KiB
Nix
{config, pkgs, lib, ...}:
|
|
|
|
{
|
|
containers.mattermost = {
|
|
autoStart = true;
|
|
privateNetwork = true;
|
|
hostAddress = "192.168.100.30";
|
|
localAddress = "192.168.100.31";
|
|
|
|
bindMounts."/secrets" = {
|
|
hostPath = "/var/lib/mattermost/";
|
|
isReadOnly = true;
|
|
};
|
|
|
|
config = {pkgs, config, ...}: {
|
|
|
|
# have to import these here, since container's dont
|
|
# inherit imports of their environment.
|
|
imports = [ ../../../modules/mattermost.nix ];
|
|
networking.firewall.enable = false;
|
|
|
|
# couldn't figure out how to actually overwrite modules, so now
|
|
# there's two mattermost modules ...
|
|
services.mattermost-patched = {
|
|
enable = true;
|
|
siteUrl = "https://mattermost-beta.infra4future.de";
|
|
siteName = "Mattermost - Blabla for Future";
|
|
listenAddress = "0.0.0.0:3000";
|
|
mutableConfig = false;
|
|
|
|
secretConfig = "/secrets/secrets.json";
|
|
|
|
extraConfig = {
|
|
ServiceSettings = {
|
|
TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
|
|
ReadTimeout = 300;
|
|
WriteTimeout = 600;
|
|
IdleTimeout = 60;
|
|
MaximumLoginAttempts = 10;
|
|
AllowCorsFrom = "*.infra4future.de/*";
|
|
WebserverMode = "gzip";
|
|
EnableCustomEmoji = true;
|
|
EnableEmojiPicker = true;
|
|
EnableGifPicker = false;
|
|
RestrictCustomEmojiCreation = "all";
|
|
RestrictPostDelete = "all";
|
|
AllowEditPost = "always";
|
|
PostEditTimeout = -1;
|
|
EnableTutorial = false;
|
|
ExperimentalChannelSidebarOrganization = "default_on";
|
|
ExperimentalChannelOrganization = true;
|
|
ExperimentalDataPrefetch = true;
|
|
EnableEmailInvitations = true;
|
|
DisableLegacyMFA = true;
|
|
EnableSVGs = true;
|
|
EnableLaTeX = true;
|
|
ThreadAutoFollow = true;
|
|
EnableSecurityFixAlert = false;
|
|
};
|
|
TeamSettings = {
|
|
EnableTeamCreation = true;
|
|
EnableUserCreation = true;
|
|
EnableOpenServer = false;
|
|
EnableUserDeactivation = true;
|
|
ExperimentalViewArchivedChannels = true;
|
|
ExperimentalEnableAutomaticReplies = true;
|
|
};
|
|
LogSettings = {
|
|
EnableConsole = true;
|
|
ConsoleLevel = "ERROR";
|
|
EnableDiagnostics = false;
|
|
EnableWebhookDebugging = false;
|
|
};
|
|
NotificationLogSettings = {
|
|
EnableConsole = true;
|
|
ConsoleLevel = "INFO";
|
|
};
|
|
PasswordSettings = {
|
|
MinimumLength = 10;
|
|
# turn of all the bullshit requirements
|
|
Lowercase = false;
|
|
Number = false;
|
|
Uppercase = false;
|
|
Symbol = false;
|
|
};
|
|
FileSettings = {
|
|
EnableFileAttachments = true;
|
|
MaxFileSize = 52428800;
|
|
DriverName = "local";
|
|
Directory = "/var/lib/mattermost/uploads-storage";
|
|
EnablePublicLink = true;
|
|
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
|
|
};
|
|
EmailSettings = {
|
|
EnableSignUpWithEmail = false;
|
|
EnableSignInWithEmail = false;
|
|
EnableSignInWithUsername = false;
|
|
SendEmailNotifications = true;
|
|
FeedbackName = "mattermost";
|
|
FeedbackEmail = "mattermost@infra4future.de";
|
|
ReplyToAddress = "mattermost@infra4future.de";
|
|
FeedbackOrganization = "∆infra4future.de";
|
|
EnableSMTPAuth = true;
|
|
SMTPUsername = "noreply@infra4future.de";
|
|
SMTPServer = "mail.hacc.space";
|
|
};
|
|
RateLimitSettings.Enable = false;
|
|
PrivacySettings = {
|
|
ShowEmailAddress = false;
|
|
ShowFullName = true;
|
|
};
|
|
SupportSettings = {
|
|
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
|
|
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
|
|
AboutLink = "https://infra4future.de";
|
|
SupportEmail = "info@infra4future.de";
|
|
CustomTermsOfServiceEnabled = false;
|
|
EnableAskCommunityLink = true;
|
|
};
|
|
AnnouncementSettings.EnableBanner = false;
|
|
GitLabSettings = {
|
|
Enable = true;
|
|
Id = "mattermost-beta";
|
|
Scope = "";
|
|
AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
|
TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
|
UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
|
|
};
|
|
# for some reason, these don't appear to be working; the startup
|
|
# process complaines and sets these back to en
|
|
LocalizationSettings = {
|
|
DefaultServerLocale = "de";
|
|
DefaultClientLocale = "de";
|
|
AvailableLocales = "de,en";
|
|
};
|
|
MessageExportSettings.EnableExport = false;
|
|
# plugins appear to have trouble with the read-only filesystem; it may
|
|
# be necessary to manually change their paths etc.
|
|
PluginSettings = {
|
|
Enable = true;
|
|
EnableUploads = true;
|
|
Plugins = {
|
|
bigbluebutton = {
|
|
adminonly = false;
|
|
base_url = "https://bbb.infra4future.de/bigbluebutton/api";
|
|
salt = "zKCsNeaEniC115ynHOsZopgA4iTiJjzgeiPNoCEc";
|
|
};
|
|
"com.github.matterpoll.matterpoll" = {
|
|
experimentalui = true;
|
|
trigger = "poll";
|
|
};
|
|
};
|
|
PluginStates = {
|
|
bigbluebutton.Enable = true;
|
|
"com.github.matterpoll.matterpoll".Enable = true;
|
|
};
|
|
};
|
|
ComplianceSettings.Enable = false;
|
|
ClusterSettings.Enable = false;
|
|
MetricsSettings.Enable = false;
|
|
GuestAccountsSettings.Enable = false;
|
|
# this is just the general allow-this-at-all switch; users
|
|
# still have to turn it on for themselves
|
|
FeatureFlags.CollapsedThreads = true;
|
|
};
|
|
|
|
# turn of the weirder parts of this module (which insist on passwords
|
|
# in nix files, instead of just using socket-based authentication)
|
|
#
|
|
# It will still attempt to use its default password, but postgres will
|
|
# just let it in regardless of that.
|
|
localDatabaseCreate = false;
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
|
ensureDatabases = [ "mattermost" ];
|
|
ensureUsers = [ {
|
|
name = "mattermost";
|
|
ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; };
|
|
} ];
|
|
|
|
authentication = lib.mkForce ''
|
|
# Generated file; do not edit!
|
|
local all all trust
|
|
host mattermost mattermost ::1/128 trust
|
|
'';
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 3000 ];
|
|
|
|
services.coredns = {
|
|
enable = true;
|
|
config = ''
|
|
.:53 {
|
|
forward . 1.1.1.1
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."mattermost-beta.infra4future.de" = {
|
|
locations."/" = {
|
|
proxyPass = "http://${config.containers.mattermost.localAddress}:3000";
|
|
proxyWebsockets = true;
|
|
};
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
|
|
networking.nat = {
|
|
enable = true;
|
|
internalInterfaces = [ "ve-mattermost" ];
|
|
externalInterface = "enp6s0";
|
|
};
|
|
|
|
}
|