133 lines
3.8 KiB
Nix
133 lines
3.8 KiB
Nix
{ pkgs, lib, ... }:
|
|
let
|
|
|
|
hostAddress = "192.168.100.20";
|
|
containerAddress = "192.168.100.21";
|
|
|
|
in {
|
|
|
|
# backup mattermost
|
|
backup.all.restic.dirs = [ "/home/mattermost" ];
|
|
|
|
containers.mattermost = {
|
|
|
|
# mount host folders
|
|
bindMounts = {
|
|
home = {
|
|
# make sure this folder exist on the host
|
|
hostPath = toString "/home/mattermost/home";
|
|
mountPoint = "/var/lib/mattermost";
|
|
isReadOnly = false;
|
|
};
|
|
db = {
|
|
# make sure this folder exist on the host
|
|
hostPath = toString "/home/mattermost/db";
|
|
mountPoint = "/var/lib/postgresql";
|
|
isReadOnly = false;
|
|
};
|
|
};
|
|
|
|
# container network setup
|
|
# see also nating on host system.
|
|
privateNetwork = true;
|
|
hostAddress = hostAddress;
|
|
localAddress = containerAddress;
|
|
|
|
autoStart = true;
|
|
|
|
config = { config, pkgs, lib, ... }: {
|
|
|
|
imports = [ <modules> <krops-lib> ];
|
|
|
|
services.nginx = {
|
|
|
|
# Use recommended settings
|
|
recommendedGzipSettings = lib.mkDefault true;
|
|
recommendedOptimisation = lib.mkDefault true;
|
|
recommendedProxySettings = lib.mkDefault true;
|
|
recommendedTlsSettings = lib.mkDefault true;
|
|
|
|
# for graylog logging
|
|
commonHttpConfig = let
|
|
access_log_sink = "${hostAddress}:12304";
|
|
error_log_sink = "${hostAddress}:12305";
|
|
in ''
|
|
log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
|
|
'"facility": "nginx", '
|
|
'"src_addr": "$remote_addr", '
|
|
'"body_bytes_sent": $body_bytes_sent, '
|
|
'"request_time": $request_time, '
|
|
'"response_status": $status, '
|
|
'"request": "$request", '
|
|
'"request_method": "$request_method", '
|
|
'"host": "$host",'
|
|
'"upstream_cache_status": "$upstream_cache_status",'
|
|
'"upstream_addr": "$upstream_addr",'
|
|
'"http_x_forwarded_for": "$http_x_forwarded_for",'
|
|
'"http_referrer": "$http_referer", '
|
|
'"http_user_agent": "$http_user_agent" }';
|
|
|
|
access_log syslog:server=${access_log_sink} graylog2_json;
|
|
error_log syslog:server=${error_log_sink};
|
|
'';
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 8065 6667 ];
|
|
networking.firewall.allowedUDPPorts = [ 8065 ];
|
|
|
|
# setup matter most
|
|
services.mattermost = {
|
|
enable = true;
|
|
siteUrl = "https://chat.ingolf-wagner.de";
|
|
localDatabaseName = "chat";
|
|
localDatabaseUser = "chatty";
|
|
listenAddress = ":8065";
|
|
|
|
matterircd = {
|
|
enable = true;
|
|
parameters = [
|
|
"-mmserver chat.ingolf-wagner.de"
|
|
"-restrict chat.ingolf-wagner.de"
|
|
"-bind [::]:6667"
|
|
];
|
|
};
|
|
};
|
|
|
|
# send log to host systems graylog (use tinc or wireguard if host is not graylog)
|
|
services.SystemdJournal2Gelf.enable = true;
|
|
services.SystemdJournal2Gelf.graylogServer = "${hostAddress}:11201";
|
|
|
|
};
|
|
};
|
|
|
|
# give containers internet access
|
|
networking.nat.enable = true;
|
|
networking.nat.internalInterfaces = [ "ve-mattermost" ];
|
|
networking.nat.externalInterface = "eth0";
|
|
|
|
# don't let networkmanager manger container network
|
|
networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
|
|
|
|
# open ports for logging
|
|
networking.firewall.interfaces."ve-mattermost".allowedTCPPorts =
|
|
[ 11201 12304 12305 ];
|
|
networking.firewall.interfaces."ve-mattermost".allowedUDPPorts =
|
|
[ 11201 12304 12305 ];
|
|
|
|
# host nginx setup
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
virtualHosts = {
|
|
"chat.workhorse.private" = {
|
|
serverAliases = [ "chat.ingolf-wagner.de" ];
|
|
locations."/" = {
|
|
proxyWebsockets = true;
|
|
proxyPass = "http://${containerAddress}:8065";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
}
|
|
|