nixpkgs/nixos/modules/services/web-apps/mattermost.nix
stuebinm c29ca6704d mattermost: add environmentFile option to allow declarative secrets
This adds an option `services.mattermost.environmentFile`, intended to be
useful especially when `services.mattermost.mutableConfig` is set to `false`.
Since all mattermost configuration options can also be set by environment
variables, this allows managing secret configuration values in a declarative
manner without placing them in the nix store.
2023-03-27 20:46:01 +02:00

361 lines
12 KiB
Nix

{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.mattermost;
database = "postgres://${cfg.localDatabaseUser}:${cfg.localDatabasePassword}@localhost:5432/${cfg.localDatabaseName}?sslmode=disable&connect_timeout=10";
postgresPackage = config.services.postgresql.package;
createDb = {
statePath ? cfg.statePath,
localDatabaseUser ? cfg.localDatabaseUser,
localDatabasePassword ? cfg.localDatabasePassword,
localDatabaseName ? cfg.localDatabaseName,
useSudo ? true
}: ''
if ! test -e ${escapeShellArg "${statePath}/.db-created"}; then
${lib.optionalString useSudo "${pkgs.sudo}/bin/sudo -u ${escapeShellArg config.services.postgresql.superUser} \\"}
${postgresPackage}/bin/psql postgres -c \
"CREATE ROLE ${localDatabaseUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${localDatabasePassword}'"
${lib.optionalString useSudo "${pkgs.sudo}/bin/sudo -u ${escapeShellArg config.services.postgresql.superUser} \\"}
${postgresPackage}/bin/createdb \
--owner ${escapeShellArg localDatabaseUser} ${escapeShellArg localDatabaseName}
touch ${escapeShellArg "${statePath}/.db-created"}
fi
'';
mattermostPluginDerivations = with pkgs;
map (plugin: stdenv.mkDerivation {
name = "mattermost-plugin";
installPhase = ''
mkdir -p $out/share
cp ${plugin} $out/share/plugin.tar.gz
'';
dontUnpack = true;
dontPatch = true;
dontConfigure = true;
dontBuild = true;
preferLocalBuild = true;
}) cfg.plugins;
mattermostPlugins = with pkgs;
if mattermostPluginDerivations == [] then null
else stdenv.mkDerivation {
name = "${cfg.package.name}-plugins";
nativeBuildInputs = [
autoPatchelfHook
] ++ mattermostPluginDerivations;
buildInputs = [
cfg.package
];
installPhase = ''
mkdir -p $out/data/plugins
plugins=(${escapeShellArgs (map (plugin: "${plugin}/share/plugin.tar.gz") mattermostPluginDerivations)})
for plugin in "''${plugins[@]}"; do
hash="$(sha256sum "$plugin" | cut -d' ' -f1)"
mkdir -p "$hash"
tar -C "$hash" -xzf "$plugin"
autoPatchelf "$hash"
GZIP_OPT=-9 tar -C "$hash" -cvzf "$out/data/plugins/$hash.tar.gz" .
rm -rf "$hash"
done
'';
dontUnpack = true;
dontPatch = true;
dontConfigure = true;
dontBuild = true;
preferLocalBuild = true;
};
mattermostConfWithoutPlugins = recursiveUpdate
{ ServiceSettings.SiteURL = cfg.siteUrl;
ServiceSettings.ListenAddress = cfg.listenAddress;
TeamSettings.SiteName = cfg.siteName;
SqlSettings.DriverName = "postgres";
SqlSettings.DataSource = database;
PluginSettings.Directory = "${cfg.statePath}/plugins/server";
PluginSettings.ClientDirectory = "${cfg.statePath}/plugins/client";
}
cfg.extraConfig;
mattermostConf = recursiveUpdate
mattermostConfWithoutPlugins
(
if mattermostPlugins == null then {}
else {
PluginSettings = {
Enable = true;
};
}
);
mattermostConfJSON = pkgs.writeText "mattermost-config.json" (builtins.toJSON mattermostConf);
in
{
options = {
services.mattermost = {
enable = mkEnableOption (lib.mdDoc "Mattermost chat server");
package = mkOption {
type = types.package;
default = pkgs.mattermost;
defaultText = lib.literalExpression "pkgs.mattermost";
description = lib.mdDoc "Mattermost derivation to use.";
};
statePath = mkOption {
type = types.str;
default = "/var/lib/mattermost";
description = lib.mdDoc "Mattermost working directory";
};
siteUrl = mkOption {
type = types.str;
example = "https://chat.example.com";
description = lib.mdDoc ''
URL this Mattermost instance is reachable under, without trailing slash.
'';
};
siteName = mkOption {
type = types.str;
default = "Mattermost";
description = lib.mdDoc "Name of this Mattermost site.";
};
listenAddress = mkOption {
type = types.str;
default = ":8065";
example = "[::1]:8065";
description = lib.mdDoc ''
Address and port this Mattermost instance listens to.
'';
};
mutableConfig = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether the Mattermost config.json is writeable by Mattermost.
Most of the settings can be edited in the system console of
Mattermost if this option is enabled. A template config using
the options specified in services.mattermost will be generated
but won't be overwritten on changes or rebuilds.
If this option is disabled, changes in the system console won't
be possible (default). If an config.json is present, it will be
overwritten!
'';
};
preferNixConfig = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
If both mutableConfig and this option are set, the Nix configuration
will take precedence over any settings configured in the server
console.
'';
};
extraConfig = mkOption {
type = types.attrs;
default = { };
description = lib.mdDoc ''
Additional configuration options as Nix attribute set in config.json schema.
'';
};
plugins = mkOption {
type = types.listOf (types.oneOf [types.path types.package]);
default = [];
example = "[ ./com.github.moussetc.mattermost.plugin.giphy-2.0.0.tar.gz ]";
description = lib.mdDoc ''
Plugins to add to the configuration. Overrides any installed if non-null.
This is a list of paths to .tar.gz files or derivations evaluating to
.tar.gz files.
'';
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
description = lib.mdDoc ''
Environment file (see {manpage}`systemd.exec(5)`
"EnvironmentFile=" section for the syntax) which sets config options
for mattermost (see [the mattermost documentation](https://docs.mattermost.com/configure/configuration-settings.html#environment-variables)).
Settings defined in the environment file will overwrite settings
set via nix or via the {option}`services.mattermost.extraConfig`
option.
Useful for setting config options without their value ending up in the
(world-readable) nix store, e.g. for a database password.
'';
};
localDatabaseCreate = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
Create a local PostgreSQL database for Mattermost automatically.
'';
};
localDatabaseName = mkOption {
type = types.str;
default = "mattermost";
description = lib.mdDoc ''
Local Mattermost database name.
'';
};
localDatabaseUser = mkOption {
type = types.str;
default = "mattermost";
description = lib.mdDoc ''
Local Mattermost database username.
'';
};
localDatabasePassword = mkOption {
type = types.str;
default = "mmpgsecret";
description = lib.mdDoc ''
Password for local Mattermost database user.
'';
};
user = mkOption {
type = types.str;
default = "mattermost";
description = lib.mdDoc ''
User which runs the Mattermost service.
'';
};
group = mkOption {
type = types.str;
default = "mattermost";
description = lib.mdDoc ''
Group which runs the Mattermost service.
'';
};
matterircd = {
enable = mkEnableOption (lib.mdDoc "Mattermost IRC bridge");
package = mkOption {
type = types.package;
default = pkgs.matterircd;
defaultText = lib.literalExpression "pkgs.matterircd";
description = lib.mdDoc "matterircd derivation to use.";
};
parameters = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "-mmserver chat.example.com" "-bind [::]:6667" ];
description = lib.mdDoc ''
Set commandline parameters to pass to matterircd. See
https://github.com/42wim/matterircd#usage for more information.
'';
};
};
};
};
config = mkMerge [
(mkIf cfg.enable {
users.users = optionalAttrs (cfg.user == "mattermost") {
mattermost = {
group = cfg.group;
uid = config.ids.uids.mattermost;
home = cfg.statePath;
};
};
users.groups = optionalAttrs (cfg.group == "mattermost") {
mattermost.gid = config.ids.gids.mattermost;
};
services.postgresql.enable = cfg.localDatabaseCreate;
# The systemd service will fail to execute the preStart hook
# if the WorkingDirectory does not exist
system.activationScripts.mattermost = ''
mkdir -p "${cfg.statePath}"
'';
systemd.services.mattermost = {
description = "Mattermost chat service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "postgresql.service" ];
preStart = ''
mkdir -p "${cfg.statePath}"/{data,config,logs,plugins}
mkdir -p "${cfg.statePath}/plugins"/{client,server}
ln -sf ${cfg.package}/{bin,fonts,i18n,templates,client} "${cfg.statePath}"
'' + lib.optionalString (mattermostPlugins != null) ''
rm -rf "${cfg.statePath}/data/plugins"
ln -sf ${mattermostPlugins}/data/plugins "${cfg.statePath}/data"
'' + lib.optionalString (!cfg.mutableConfig) ''
rm -f "${cfg.statePath}/config/config.json"
${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${cfg.package}/config/config.json ${mattermostConfJSON} > "${cfg.statePath}/config/config.json"
'' + lib.optionalString cfg.mutableConfig ''
if ! test -e "${cfg.statePath}/config/.initial-created"; then
rm -f ${cfg.statePath}/config/config.json
${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${cfg.package}/config/config.json ${mattermostConfJSON} > "${cfg.statePath}/config/config.json"
touch "${cfg.statePath}/config/.initial-created"
fi
'' + lib.optionalString (cfg.mutableConfig && cfg.preferNixConfig) ''
new_config="$(${pkgs.jq}/bin/jq -s '.[0] * .[1]' "${cfg.statePath}/config/config.json" ${mattermostConfJSON})"
rm -f "${cfg.statePath}/config/config.json"
echo "$new_config" > "${cfg.statePath}/config/config.json"
'' + lib.optionalString cfg.localDatabaseCreate (createDb {}) + ''
# Don't change permissions recursively on the data, current, and symlinked directories (see ln -sf command above).
# This dramatically decreases startup times for installations with a lot of files.
find . -maxdepth 1 -not -name data -not -name client -not -name templates -not -name i18n -not -name fonts -not -name bin -not -name . \
-exec chown "${cfg.user}:${cfg.group}" -R {} \; -exec chmod u+rw,g+r,o-rwx -R {} \;
chown "${cfg.user}:${cfg.group}" "${cfg.statePath}/data" .
chmod u+rw,g+r,o-rwx "${cfg.statePath}/data" .
'';
serviceConfig = {
PermissionsStartOnly = true;
User = cfg.user;
Group = cfg.group;
ExecStart = "${cfg.package}/bin/mattermost";
WorkingDirectory = "${cfg.statePath}";
Restart = "always";
RestartSec = "10";
LimitNOFILE = "49152";
EnvironmentFile = cfg.environmentFile;
};
unitConfig.JoinsNamespaceOf = mkIf cfg.localDatabaseCreate "postgresql.service";
};
})
(mkIf cfg.matterircd.enable {
systemd.services.matterircd = {
description = "Mattermost IRC bridge service";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "nobody";
Group = "nogroup";
ExecStart = "${cfg.matterircd.package}/bin/matterircd ${escapeShellArgs cfg.matterircd.parameters}";
WorkingDirectory = "/tmp";
PrivateTmp = true;
Restart = "always";
RestartSec = "5";
};
};
})
];
}