diff --git a/compose/production/mattermost/app/Dockerfile b/compose/production/mattermost/app/Dockerfile deleted file mode 100644 index 0780bf3..0000000 --- a/compose/production/mattermost/app/Dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -FROM alpine:3.10 - -# Some ENV variables -ENV PATH="/mattermost/bin:${PATH}" -ENV MM_VERSION=5.27.0 - -# Build argument to set Mattermost edition -ARG edition=enterprise -ARG PUID=2000 -ARG PGID=2000 -ARG MM_BINARY= - - -# Install some needed packages -RUN apk add --no-cache \ - ca-certificates \ - curl \ - jq \ - libc6-compat \ - libffi-dev \ - libcap \ - linux-headers \ - mailcap \ - netcat-openbsd \ - xmlsec-dev \ - tzdata \ - && rm -rf /tmp/* - -# Get Mattermost -RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \ - && if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \ - elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \ - else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \ - && cp /mattermost/config/config.json /config.json.save \ - && rm -rf /mattermost/config/config.json \ - && addgroup -g ${PGID} mattermost \ - && adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \ - && chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \ - && setcap cap_net_bind_service=+ep /mattermost/bin/mattermost - -USER mattermost - -#Healthcheck to make sure container is ready -HEALTHCHECK CMD curl --fail http://localhost:8000 || exit 1 - -# Configure entrypoint and command -COPY entrypoint.sh / -ENTRYPOINT ["/entrypoint.sh"] -WORKDIR /mattermost -CMD ["mattermost"] - -# Expose port 8000 of the container -EXPOSE 8000 - -# Declare volumes for mount point directories -VOLUME ["/mattermost/data", "/mattermost/logs", "/mattermost/config", "/mattermost/plugins", "/mattermost/client/plugins"] diff --git a/compose/production/mattermost/app/entrypoint.sh b/compose/production/mattermost/app/entrypoint.sh deleted file mode 100755 index 9646229..0000000 --- a/compose/production/mattermost/app/entrypoint.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/sh - -# Function to generate a random salt -generate_salt() { - tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 48 | head -n 1 -} - -# Read environment variables or set default values -DB_HOST=${DB_HOST:-db} -DB_PORT_NUMBER=${DB_PORT_NUMBER:-5432} -MM_DBNAME=${MM_DBNAME:-mattermost} -MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json} - -if [ "${1:0:1}" = '-' ]; then - set -- mattermost "$@" -fi - -if [ "$1" = 'mattermost' ]; then - # Check CLI args for a -config option - for ARG in $@; - do - case "$ARG" in - -config=*) - MM_CONFIG=${ARG#*=};; - esac - done - - if [ ! -f "$MM_CONFIG" ]; then - # If there is no configuration file, create it with some default values - echo "No configuration file" $MM_CONFIG - echo "Creating a new one" - # Copy default configuration file - cp /config.json.save "$MM_CONFIG" - # Substitute some parameters with jq - jq '.ServiceSettings.ListenAddress = ":8000"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.LogSettings.EnableConsole = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.LogSettings.ConsoleLevel = "ERROR"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.FileSettings.Directory = "/mattermost/data/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.FileSettings.EnablePublicLink = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.FileSettings.PublicLinkSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.EmailSettings.SendEmailNotifications = false' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.EmailSettings.FeedbackEmail = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.EmailSettings.SMTPServer = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.EmailSettings.SMTPPort = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.EmailSettings.InviteSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.EmailSettings.PasswordResetSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.RateLimitSettings.Enable = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.SqlSettings.DriverName = "postgres"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.SqlSettings.AtRestEncryptKey = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - jq '.PluginSettings.Directory = "/mattermost/plugins/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG - else - echo "Using existing config file $MM_CONFIG" - fi - - # Configure database access - if [[ -z "$MM_SQLSETTINGS_DATASOURCE" && ! -z "$MM_USERNAME" && ! -z "$MM_PASSWORD" ]] - then - echo -ne "Configure database connection..." - # URLEncode the password, allowing for special characters - ENCODED_PASSWORD=$(printf %s $MM_PASSWORD | jq -s -R -r @uri) - export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=disable&connect_timeout=10" - echo "OK" - else - echo "Using existing database connection" - fi - - # Wait another second for the database to be properly started. - # Necessary to avoid "panic: Failed to open sql connection pq: the database system is starting up" - sleep 1 - - echo "Starting mattermost" -fi - -exec "$@" diff --git a/compose/production/mattermost/db/Dockerfile b/compose/production/mattermost/db/Dockerfile deleted file mode 100644 index d261fd2..0000000 --- a/compose/production/mattermost/db/Dockerfile +++ /dev/null @@ -1,33 +0,0 @@ -FROM postgres:9.4-alpine - -ENV DEFAULT_TIMEZONE UTC - -# Install some packages to use WAL -RUN echo "azure<5.0.0" > pip-constraints.txt -RUN apk add --no-cache \ - build-base \ - curl \ - libc6-compat \ - libffi-dev \ - linux-headers \ - python-dev \ - py-pip \ - py-cryptography \ - pv \ - libressl-dev \ - && pip install --upgrade pip \ - && pip --no-cache-dir install -c pip-constraints.txt 'wal-e<1.0.0' envdir \ - && rm -rf /var/cache/apk/* /tmp/* /var/tmp/* - -# Add wale script -COPY setup-wale.sh /docker-entrypoint-initdb.d/ - -#Healthcheck to make sure container is ready -HEALTHCHECK CMD pg_isready -U $POSTGRES_USER -d $POSTGRES_DB || exit 1 - -# Add and configure entrypoint and command -COPY entrypoint.sh / -ENTRYPOINT ["/entrypoint.sh"] -CMD ["postgres"] - -VOLUME ["/var/run/postgresql", "/usr/share/postgresql/", "/var/lib/postgresql/data", "/tmp", "/etc/wal-e.d/env"] diff --git a/compose/production/mattermost/db/entrypoint.sh b/compose/production/mattermost/db/entrypoint.sh deleted file mode 100755 index ce0facc..0000000 --- a/compose/production/mattermost/db/entrypoint.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/bash - -# if wal-e backup is not enabled, use minimal wal-e logging to reduce disk space -export WAL_LEVEL=${WAL_LEVEL:-minimal} -export ARCHIVE_MODE=${ARCHIVE_MODE:-off} -export ARCHIVE_TIMEOUT=${ARCHIVE_TIMEOUT:-60} - -function update_conf () { - wal=$1 - # PGDATA is defined in upstream postgres dockerfile - config_file=$PGDATA/postgresql.conf - - # Check if configuration file exists. If not, it probably means that database is not initialized yet - if [ ! -f $config_file ]; then - return - fi - # Reinitialize config - sed -i "s/log_timezone =.*$//g" $PGDATA/postgresql.conf - sed -i "s/timezone =.*$//g" $PGDATA/postgresql.conf - sed -i "s/wal_level =.*$//g" $config_file - sed -i "s/archive_mode =.*$//g" $config_file - sed -i "s/archive_timeout =.*$//g" $config_file - sed -i "s/archive_command =.*$//g" $config_file - - # Configure wal-e - if [ "$wal" = true ] ; then - /docker-entrypoint-initdb.d/setup-wale.sh - fi - echo "log_timezone = $DEFAULT_TIMEZONE" >> $config_file - echo "timezone = $DEFAULT_TIMEZONE" >> $config_file -} - -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi - -if [ "$1" = 'postgres' ]; then - # Check wal-e variables - wal_enable=true - VARS=(AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY WALE_S3_PREFIX AWS_REGION) - for v in ${VARS[@]}; do - if [ "${!v}" = "" ]; then - echo "$v is required for Wal-E but not set. Skipping Wal-E setup." - wal_enable=false - fi - done - - # Setup wal-e env variables - if [ "$wal_enable" = true ] ; then - for v in ${VARS[@]}; do - export $v="${!v}" - done - WAL_LEVEL=archive - ARCHIVE_MODE=on - fi - - # Update postgresql configuration - update_conf $wal_enable - - # Run the postgresql entrypoint - docker-entrypoint.sh postgres -fi diff --git a/compose/production/mattermost/db/setup-wale.sh b/compose/production/mattermost/db/setup-wale.sh deleted file mode 100755 index cf34ea5..0000000 --- a/compose/production/mattermost/db/setup-wale.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# wal-e specific configuration -echo "wal_level = $WAL_LEVEL" >> $PGDATA/postgresql.conf -echo "archive_mode = $ARCHIVE_MODE" >> $PGDATA/postgresql.conf -echo "archive_command = '/usr/bin/wal-e wal-push %p'" >> $PGDATA/postgresql.conf -echo "archive_timeout = $ARCHIVE_TIMEOUT" >> $PGDATA/postgresql.conf diff --git a/compose/production/mattermost/web/Dockerfile b/compose/production/mattermost/web/Dockerfile deleted file mode 100644 index a138e0c..0000000 --- a/compose/production/mattermost/web/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -FROM nginx:mainline-alpine - -# Remove default configuration and add our custom Nginx configuration files -RUN rm /etc/nginx/conf.d/default.conf \ - && apk add --no-cache curl - -COPY ["./mattermost", "./mattermost-ssl", "/etc/nginx/sites-available/"] -COPY ./security.conf /etc/nginx/conf.d/ - -# Add and setup entrypoint -COPY entrypoint.sh / - -#Healthcheck to make sure container is ready -HEALTHCHECK CMD curl --fail http://localhost:80 || exit 1 - -ENTRYPOINT ["/entrypoint.sh"] - -VOLUME ["/var/run", "/etc/nginx/conf.d/", "/var/cache/nginx/"] - diff --git a/compose/production/mattermost/web/entrypoint.sh b/compose/production/mattermost/web/entrypoint.sh deleted file mode 100755 index 6a7d9bc..0000000 --- a/compose/production/mattermost/web/entrypoint.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh - -# Define default value for app container hostname and port -APP_HOST=${APP_HOST:-app} -APP_PORT_NUMBER=${APP_PORT_NUMBER:-8000} - -# Check if SSL should be enabled (if certificates exists) -if [ -f "/cert/cert.pem" -a -f "/cert/key-no-password.pem" ]; then - echo "found certificate and key, linking ssl config" - ssl="-ssl" -else - echo "linking plain config" -fi -# Ensure that the configuration file is not present before linking. -test -w /etc/nginx/conf.d/mattermost.conf && rm /etc/nginx/conf.d/mattermost.conf -# Linking Nginx configuration file -ln -s -f /etc/nginx/sites-available/mattermost$ssl /etc/nginx/conf.d/mattermost.conf - -# Setup app host and port on configuration file -sed -i "s/{%APP_HOST%}/${APP_HOST}/g" /etc/nginx/conf.d/mattermost.conf -sed -i "s/{%APP_PORT%}/${APP_PORT_NUMBER}/g" /etc/nginx/conf.d/mattermost.conf - -# Run Nginx -exec nginx -g 'daemon off;' diff --git a/compose/production/mattermost/web/mattermost b/compose/production/mattermost/web/mattermost deleted file mode 100644 index ac301ae..0000000 --- a/compose/production/mattermost/web/mattermost +++ /dev/null @@ -1,39 +0,0 @@ -map $http_x_forwarded_proto $proxy_x_forwarded_proto { - default $http_x_forwarded_proto; - '' $scheme; -} - -server { - listen 80; - - location ~ /api/v[0-9]+/(users/)?websocket$ { - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - client_max_body_size 50M; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; - proxy_set_header X-Frame-Options SAMEORIGIN; - proxy_buffers 256 16k; - proxy_buffer_size 16k; - proxy_read_timeout 600s; - proxy_pass http://{%APP_HOST%}:{%APP_PORT%}; - } - - location / { - gzip on; - - client_max_body_size 50M; - proxy_set_header Connection ""; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; - proxy_set_header X-Frame-Options SAMEORIGIN; - proxy_buffers 256 16k; - proxy_buffer_size 16k; - proxy_read_timeout 600s; - proxy_pass http://{%APP_HOST%}:{%APP_PORT%}; - } -} diff --git a/compose/production/mattermost/web/mattermost-ssl b/compose/production/mattermost/web/mattermost-ssl deleted file mode 100644 index 42f1fdf..0000000 --- a/compose/production/mattermost/web/mattermost-ssl +++ /dev/null @@ -1,57 +0,0 @@ -server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; -} - -map $http_x_forwarded_proto $proxy_x_forwarded_proto { - default $http_x_forwarded_proto; - '' $scheme; -} - -server { - listen 443 ssl http2; - - ssl_certificate /cert/cert.pem; - ssl_certificate_key /cert/key-no-password.pem; - ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:MEDIUM:!SSLv2:!PSK:!SRP:!ADH:!AECDH; - ssl_prefer_server_ciphers on; - - location ~ /api/v[0-9]+/(users/)?websocket$ { - proxy_set_header Upgrade $http_upgrade; - proxy_set_header X-Forwarded-Ssl on; - proxy_set_header Connection "upgrade"; - - client_max_body_size 50M; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; - proxy_set_header X-Frame-Options SAMEORIGIN; - proxy_buffers 256 16k; - proxy_buffer_size 16k; - proxy_read_timeout 600s; - proxy_pass http://{%APP_HOST%}:{%APP_PORT%}; - } - - location / { - gzip on; - proxy_set_header X-Forwarded-Ssl on; - - client_max_body_size 50M; - proxy_set_header Connection ""; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; - proxy_set_header X-Frame-Options SAMEORIGIN; - proxy_buffers 256 16k; - proxy_buffer_size 16k; - proxy_read_timeout 600s; - proxy_pass http://{%APP_HOST%}:{%APP_PORT%}; - } -} - -# See https://docs.mattermost.com/install/install-ubuntu-1604.html#configuring-nginx-with-ssl-and-http-2 for the SSL configuration diff --git a/compose/production/mattermost/web/security.conf b/compose/production/mattermost/web/security.conf deleted file mode 100644 index 136f59c..0000000 --- a/compose/production/mattermost/web/security.conf +++ /dev/null @@ -1,22 +0,0 @@ -# don't send the nginx version number in error pages and Server header -server_tokens off; - -# config to don't allow the browser to render the page inside an frame or iframe -# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking -# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri -# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options -add_header X-Frame-Options SAMEORIGIN; - -# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, -# to disable content-type sniffing on some browsers. -# https://www.owasp.org/index.php/List_of_useful_HTTP_headers -# currently supported in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx -# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx -# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 -add_header X-Content-Type-Options nosniff; - -# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. -# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for -# this particular website if it was disabled by the user. -# https://www.owasp.org/index.php/List_of_useful_HTTP_headers -add_header X-XSS-Protection "1; mode=block";