beginning mattermost

5 years ago · 9d32be52f3
5 changed files with 220 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -42,6 +42,8 @@ Within Mistborn is a panel to enable and manage these free extra services (off b
 - [Jellyfin](https://jellyfin.org): The Free Media Software System.
 - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy.
 - [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing
 - [Mattermost](https://mattermost.com/): A flexible, open source messaging platform that enables secure team collaboration
 # Quickstart
 Tested Operating Systems (in order of thoroughness):
@ -260,6 +262,7 @@ Mistborn uses the following domains (that can be reached by all Wireguard client
 | Syncthing | syncthing.mistborn | Off |
 | OnlyOffice | onlyoffice.mistborn | Off |
 | Jitsi | jitsi.mistborn | Off |
 | Mattermost | mattermost.mistborn | Off |
 # Default Credentials
 These are the default credentials to use in the services you choose to use:
@ -317,6 +320,7 @@ But wait, there's more! You can:
 | Jellyfin       | [Jellyfin](https://play.google.com/store/apps/details?id=org.jellyfin.mobile)                      | [Jellyfin](https://apps.apple.com/us/app/jellyfin-mobile/id1480192618)             |
 | Home Assistant | [Home Assistant](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android) |                                                                                    |
 | Rocket.Chat    | [Rocket.Chat](https://play.google.com/store/apps/details?id=chat.rocket.android)                   | [Rocket.Chat](https://apps.apple.com/us/app/rocket-chat/id1148741252)              |
 | Mattermost     | [Mattermost](https://play.google.com/store/apps/details?id=com.mattermost.rn)                      | [Mattermost](https://apps.apple.com/us/app/mattermost/id1257222717)                |
 ## TLS Certificate
 Some apps require TLS (HTTPS). All traffic to Mistborn domains already occurs over Wireguard but to keep apps running, a TLS certificate exists for Mistborn and can be imported into your device's trusted credentials in the security settings. This certificate is checked every day and will be re-generated when expiration is less than 30 days away.
--- a/compose/production/mattermost/Dockerfile
+++ b/compose/production/mattermost/Dockerfile
@ -0,0 +1,56 @@
 FROM alpine:3.10
 # Some ENV variables
 ENV PATH="/mattermost/bin:${PATH}"
 ENV MM_VERSION=5.27.0
 # Build argument to set Mattermost edition
 ARG edition=enterprise
 ARG PUID=2000
 ARG PGID=2000
 ARG MM_BINARY=
 # Install some needed packages
 RUN apk add --no-cache \
 	ca-certificates \
 	curl \
 	jq \
 	libc6-compat \
 	libffi-dev \
    libcap \
 	linux-headers \
 	mailcap \
 	netcat-openbsd \
 	xmlsec-dev \
 	tzdata \
 	&& rm -rf /tmp/*
 # Get Mattermost
 RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \
    && if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
      elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
      else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
    && cp /mattermost/config/config.json /config.json.save \
    && rm -rf /mattermost/config/config.json \
    && addgroup -g ${PGID} mattermost \
    && adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
    && chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
    && setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
 USER mattermost
 #Healthcheck to make sure container is ready
 HEALTHCHECK CMD curl --fail http://localhost:8000 || exit 1
 # Configure entrypoint and command
 COPY entrypoint.sh /
 ENTRYPOINT ["/entrypoint.sh"]
 WORKDIR /mattermost
 CMD ["mattermost"]
 # Expose port 8000 of the container
 EXPOSE 8000
 # Declare volumes for mount point directories
 VOLUME ["/mattermost/data", "/mattermost/logs", "/mattermost/config", "/mattermost/plugins", "/mattermost/client/plugins"]
--- a/compose/production/mattermost/entrypoint.sh
+++ b/compose/production/mattermost/entrypoint.sh
@ -0,0 +1,74 @@
 #!/bin/sh
 # Function to generate a random salt
 generate_salt() {
  tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 48 | head -n 1
 }
 # Read environment variables or set default values
 DB_HOST=${DB_HOST:-db}
 DB_PORT_NUMBER=${DB_PORT_NUMBER:-5432}
 MM_DBNAME=${MM_DBNAME:-mattermost}
 MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json}
 if [ "${1:0:1}" = '-' ]; then
    set -- mattermost "$@"
 fi
 if [ "$1" = 'mattermost' ]; then
  # Check CLI args for a -config option
  for ARG in $@;
  do
      case "$ARG" in
          -config=*)
              MM_CONFIG=${ARG#*=};;
      esac
  done
  if [ ! -f "$MM_CONFIG" ]; then
    # If there is no configuration file, create it with some default values
    echo "No configuration file" $MM_CONFIG
    echo "Creating a new one"
    # Copy default configuration file
    cp /config.json.save "$MM_CONFIG"
    # Substitute some parameters with jq
    jq '.ServiceSettings.ListenAddress = ":8000"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.LogSettings.EnableConsole = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.LogSettings.ConsoleLevel = "ERROR"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.FileSettings.Directory = "/mattermost/data/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.FileSettings.EnablePublicLink = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.FileSettings.PublicLinkSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.EmailSettings.SendEmailNotifications = false' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.EmailSettings.FeedbackEmail = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.EmailSettings.SMTPServer = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.EmailSettings.SMTPPort = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.EmailSettings.InviteSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.EmailSettings.PasswordResetSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.RateLimitSettings.Enable = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.SqlSettings.DriverName = "postgres"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.SqlSettings.AtRestEncryptKey = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.PluginSettings.Directory = "/mattermost/plugins/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
  else
    echo "Using existing config file $MM_CONFIG"
  fi
  # Configure database access
  if [[ -z "$MM_SQLSETTINGS_DATASOURCE" && ! -z "$MM_USERNAME" && ! -z "$MM_PASSWORD" ]]
  then
    echo -ne "Configure database connection..."
    # URLEncode the password, allowing for special characters
    ENCODED_PASSWORD=$(printf %s $MM_PASSWORD | jq -s -R -r @uri)
    export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=disable&connect_timeout=10"
    echo "OK"
  else
    echo "Using existing database connection"
  fi
  # Wait another second for the database to be properly started.
  # Necessary to avoid "panic: Failed to open sql connection pq: the database system is starting up"
  sleep 1
  echo "Starting mattermost"
 fi
 exec "$@"
--- a/extra/mattermost.yml
+++ b/extra/mattermost.yml
@ -0,0 +1,79 @@
 version: "3"
 services:
  db:
    build: db
    read_only: true
    restart: unless-stopped
    volumes:
      - ../../mistborn_volumes/extra/mattermost/db/var/lib/postgresql/data:/var/lib/postgresql/data
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - ../.envs/.production/.mattermost
    #environment:
    #  - POSTGRES_USER=mmuser
    #  - POSTGRES_PASSWORD=mmuser_password
    #  - POSTGRES_DB=mattermost
    # uncomment the following to enable backup
    #  - AWS_ACCESS_KEY_ID=XXXX
    #  - AWS_SECRET_ACCESS_KEY=XXXX
    #  - WALE_S3_PREFIX=s3://BUCKET_NAME/PATH
    #  - AWS_REGION=us-east-1
  app:
    build:
      context: compose/production/mattermost #app
      # uncomment following lines for team edition or change UID/GID
      args:
        - edition=team
        - PUID=1000
        - PGID=1000
    restart: unless-stopped
    volumes:
      - ../../mistborn_volumes/extra/mattermost/app/mattermost/config:/mattermost/config:rw
      - ../../mistborn_volumes/extra/mattermost/app/mattermost/data:/mattermost/data:rw
      - ../../mistborn_volumes/extra/mattermost/app/mattermost/logs:/mattermost/logs:rw
      - ../../mistborn_volumes/extra/mattermost/app/mattermost/plugins:/mattermost/plugins:rw
      - ../../mistborn_volumes/extra/mattermost/app/mattermost/client-plugins:/mattermost/client/plugins:rw
      - /etc/localtime:/etc/localtime:ro
      # When you want to use SSO with GitLab, you have to add the cert pki chain of GitLab inside Alpine
      # to avoid Token request failed: certificate signed by unknown authority (link: https://github.com/mattermost/mattermost-server/issues/13059)
      # - <path_to_your_gitlab_pki>/pki_chain.pem:/etc/ssl/certs/pki_chain.pem:ro
    env_file:
      - ../.envs/.production/.mattermost
    environment:
      # set same as db credentials and dbname
      #- MM_USERNAME=mmuser
      #- MM_PASSWORD=mmuser_password
      #- MM_DBNAME=mattermost
      # use the credentials you've set above, in the format:
      # MM_SQLSETTINGS_DATASOURCE=postgres://${MM_USERNAME}:${MM_PASSWORD}@db:5432/${MM_DBNAME}?sslmode=disable&connect_timeout=10
      #- MM_SQLSETTINGS_DATASOURCE=postgres://mmuser:mmuser_password@db:5432/mattermost?sslmode=disable&connect_timeout=10
      - MM_SQLSETTINGS_DATASOURCE=postgres://${MM_USERNAME}:${MM_PASSWORD}@db:5432/${MM_DBNAME}?sslmode=disable&connect_timeout=10
      # in case your config is not in default location
      #- MM_CONFIG=/mattermost/config/config.json
  web:
    build: web
    #ports:
    #  - "80:80"
    #  - "443:443"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.mattermost-http.rule=Host(`mattermost.mistborn`)"
      - "traefik.http.routers.mattermost-http.entrypoints=web"
      - "traefik.http.routers.mattermost-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.mattermost-https.rule=Host(`mattermost.mistborn`)"
      - "traefik.http.routers.mattermost-https.entrypoints=websecure"
      - "traefik.http.routers.mattermost-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.mattermost-https.tls.certresolver=basic"
      - "traefik.http.services.mattermost-service.loadbalancer.server.port=80"
    read_only: true
    restart: unless-stopped
    volumes:
      # This directory must have cert files if you want to enable SSL
      #- ./volumes/web/cert:/cert:ro
      - /etc/localtime:/etc/localtime:ro
--- a/scripts/subinstallers/gen_prod_env.sh
+++ b/scripts/subinstallers/gen_prod_env.sh
@ -78,3 +78,10 @@ sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; im
 sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 # Mattermost
 MATTERMOST_PROD_FILE="./.envs/.production/.mattermost"
 echo "MM_USERNAME=mmuser" > $MATTERMOST_PROD_FILE
 echo "MM_PASSWORD=$1" >> $MATTERMOST_PROD_FILE
 echo "MM_DBNAME=mattermost" >> $MATTERMOST_PROD_FILE