nixos-config/configs/workhorse/mattermost.nix
2020-03-09 23:49:15 +08:00

133 lines
3.8 KiB
Nix

{ pkgs, lib, ... }:
let
hostAddress = "192.168.100.20";
containerAddress = "192.168.100.21";
in {
# backup mattermost
backup.all.restic.dirs = [ "/home/mattermost" ];
containers.mattermost = {
# mount host folders
bindMounts = {
home = {
# make sure this folder exist on the host
hostPath = toString "/home/mattermost/home";
mountPoint = "/var/lib/mattermost";
isReadOnly = false;
};
db = {
# make sure this folder exist on the host
hostPath = toString "/home/mattermost/db";
mountPoint = "/var/lib/postgresql";
isReadOnly = false;
};
};
# container network setup
# see also nating on host system.
privateNetwork = true;
hostAddress = hostAddress;
localAddress = containerAddress;
autoStart = true;
config = { config, pkgs, lib, ... }: {
imports = [ <modules> <krops-lib> ];
services.nginx = {
# Use recommended settings
recommendedGzipSettings = lib.mkDefault true;
recommendedOptimisation = lib.mkDefault true;
recommendedProxySettings = lib.mkDefault true;
recommendedTlsSettings = lib.mkDefault true;
# for graylog logging
commonHttpConfig = let
access_log_sink = "${hostAddress}:12304";
error_log_sink = "${hostAddress}:12305";
in ''
log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
'"facility": "nginx", '
'"remote_addr": "$remote_addr", '
'"body_bytes_sent": $body_bytes_sent, '
'"request_time": $request_time, '
'"response_status": $status, '
'"request": "$request", '
'"request_method": "$request_method", '
'"host": "$host",'
'"upstream_cache_status": "$upstream_cache_status",'
'"upstream_addr": "$upstream_addr",'
'"http_x_forwarded_for": "$http_x_forwarded_for",'
'"http_referrer": "$http_referer", '
'"http_user_agent": "$http_user_agent" }';
access_log syslog:server=${access_log_sink} graylog2_json;
error_log syslog:server=${error_log_sink};
'';
};
networking.firewall.allowedTCPPorts = [ 8065 6667 ];
networking.firewall.allowedUDPPorts = [ 8065 ];
# setup matter most
services.mattermost = {
enable = true;
siteUrl = "https://chat.ingolf-wagner.de";
localDatabaseName = "chat";
localDatabaseUser = "chatty";
listenAddress = ":8065";
matterircd = {
enable = true;
parameters = [
"-mmserver chat.ingolf-wagner.de"
"-restrict chat.ingolf-wagner.de"
"-bind [::]:6667"
];
};
};
# send log to host systems graylog (use tinc or wireguard if host is not graylog)
services.SystemdJournal2Gelf.enable = true;
services.SystemdJournal2Gelf.graylogServer = "${hostAddress}:11201";
};
};
# give containers internet access
networking.nat.enable = true;
networking.nat.internalInterfaces = [ "ve-mattermost" ];
networking.nat.externalInterface = "eth0";
# don't let networkmanager manger container network
networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
# open ports for logging
networking.firewall.interfaces."ve-mattermost".allowedTCPPorts =
[ 11201 12304 12305 ];
networking.firewall.interfaces."ve-mattermost".allowedUDPPorts =
[ 11201 12304 12305 ];
# host nginx setup
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"chat.workhorse.private" = {
serverAliases = [ "chat.ingolf-wagner.de" ];
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://${containerAddress}:8065";
};
};
};
};
}