pantheon/modules/nixos/server/web-apps/mattermost/default.nix

{ config, lib, ... }:
let
  inherit (lib) singleton;
  inherit (lib.pantheon) mkStrOption;
  inherit (lib.pantheon.modules) mkWebApp;
  cfg = config.server.web-apps.mattermost;
  upstreamCfg = config.services.mattermost;
  mkDir = directory: {
    inherit directory;
    inherit (upstreamCfg) user group;
    mode = "0750";
  };
in
mkWebApp {
  inherit config;
  name = "mattermost";
  defaultPort = 8065;
  persistDirs = [
    (mkDir cfg.configDir)
    (mkDir cfg.logDir)
    (mkDir cfg.dataDir)
  ];
  extraOptions = {
    teamName = mkStrOption;
    configDir = mkStrOption // {
      default = "/etc/mattermost";
    };
    dataDir = mkStrOption // {
      default = "/var/lib/mattermost";
    };
    logDir = mkStrOption // {
      default = "/var/log/mattermost";
    };
  };
  extraConfig = {
    assertions = [
      {
        assertion = config.services.postgresql.enable;
        message = "You must enable a local instance of postgresql.";
      }
    ];
    services.mattermost = {
      enable = true;
      inherit (cfg)
        configDir
        dataDir
        logDir
        port
        ;
      host = "0.0.0.0";
      siteUrl = "https://${cfg.domain}";
    };
    services.matterbridge = {
      enable = true;
      inherit (upstreamCfg) user group;
      configPath = config.sops.templates."matterbridge-conf".path;
    };
    sops.secrets."matterbridge/mattermost-password" = { };
    sops.templates."matterbridge-conf" = {
      owner = upstreamCfg.user;
      content = # toml
        ''
          [[gateway]]
          name="gateway1"
          enable=true

          [[gateway.inout]]
          account="mattermost.${config.hostname}"
          channel="matterbridge"

          [mattermost.${config.hostname}]
          Server="${cfg.domain}"
          Team="${cfg.teamName}"
          Login="matterbridge"
          Password="${config.sops.placeholder."matterbridge/mattermost-password"}"
          RemoteNickFormat="[{PROTOCOL}] <{NICK}> "
          PrefixMessagesWithNick=true
          PreserveThreading=true
        '';
    };
    services.nginx.virtualHosts.${cfg.domain}.locations."~ /api/v[0-9]+/(users/)?websocket$" = {
      proxyPass = "http://${config.hostname}:${toString cfg.port}";
      proxyWebsockets = true;
    };
    services.postgresql = {
      ensureDatabases = singleton upstreamCfg.database.name;
      ensureUsers = singleton {
        name = upstreamCfg.database.user;
        ensureDBOwnership = true;
      };
    };
  };
}