From 0e041c74e846c75bea41314c9e2a18c6a7dc44e2 Mon Sep 17 00:00:00 2001
From: Irene Knapp <ireneista@internetsafetylabs.org>
Date: Tue, 10 Jun 2025 15:25:01 -0700
Subject: switch to using the upstream nixos mattermost module

this does start up correctly, creating its state directory and so on.

it isn't yet world-visible, because we don't have the SSO set up yet.
that's likely to make testing it difficult, which is unfortunate but
necessary, since there's no way it's secure.

Change-Id: I9f40c21c2d41f7e037299cc51a26fdee4d53d3af
---
 services/mattermost.nix | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 services/mattermost.nix

(limited to 'services/mattermost.nix')

diff --git a/services/mattermost.nix b/services/mattermost.nix
new file mode 100644
index 0000000..52d2598
--- /dev/null
+++ b/services/mattermost.nix
@@ -0,0 +1,32 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.mattermost = {
+    enable = true;
+
+    # The defaults, here for easy reference.
+    host = "127.0.0.1";
+    port = 8065;
+
+    # This is a placeholder, since it's the one domain name that's actually
+    # mapped to this server right now. Under no circumstances should we ever
+    # expose Mattermost directly to traffic from the internet, it always needs
+    # to be behind our reverse proxy, so please don't actually open the port
+    # or anything like that. Use an ssh tunnel for experimenting with it,
+    # until then.
+    siteUrl = "https://experiments.internetsafetylabs.org";
+
+    # For the usual nix reasons, we prefer to disable Mattermost's in-band
+    # configuration and do all config through nix.
+    preferNixConfig = true;
+
+    telemetry = {
+      enableDiagnostics = false;
+      enableSecurityAlerts = false;
+    };
+
+    database.peerAuth = true;
+  };
+
+  services.postgresqlBackup.databases = [ "mattermost" ];
+}
-- 
cgit 1.4.1