removing build stuff

5 years ago · a80773e646
10 changed files with 0 additions and 393 deletions
--- a/compose/production/mattermost/app/Dockerfile
+++ b/compose/production/mattermost/app/Dockerfile
@ -1,56 +0,0 @@
 FROM alpine:3.10
 # Some ENV variables
 ENV PATH="/mattermost/bin:${PATH}"
 ENV MM_VERSION=5.27.0
 # Build argument to set Mattermost edition
 ARG edition=enterprise
 ARG PUID=2000
 ARG PGID=2000
 ARG MM_BINARY=
 # Install some needed packages
 RUN apk add --no-cache \
 	ca-certificates \
 	curl \
 	jq \
 	libc6-compat \
 	libffi-dev \
    libcap \
 	linux-headers \
 	mailcap \
 	netcat-openbsd \
 	xmlsec-dev \
 	tzdata \
 	&& rm -rf /tmp/*
 # Get Mattermost
 RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \
    && if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
      elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
      else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
    && cp /mattermost/config/config.json /config.json.save \
    && rm -rf /mattermost/config/config.json \
    && addgroup -g ${PGID} mattermost \
    && adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
    && chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
    && setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
 USER mattermost
 #Healthcheck to make sure container is ready
 HEALTHCHECK CMD curl --fail http://localhost:8000 || exit 1
 # Configure entrypoint and command
 COPY entrypoint.sh /
 ENTRYPOINT ["/entrypoint.sh"]
 WORKDIR /mattermost
 CMD ["mattermost"]
 # Expose port 8000 of the container
 EXPOSE 8000
 # Declare volumes for mount point directories
 VOLUME ["/mattermost/data", "/mattermost/logs", "/mattermost/config", "/mattermost/plugins", "/mattermost/client/plugins"]
--- a/compose/production/mattermost/app/entrypoint.sh
+++ b/compose/production/mattermost/app/entrypoint.sh
@ -1,74 +0,0 @@
 #!/bin/sh
 # Function to generate a random salt
 generate_salt() {
  tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 48 | head -n 1
 }
 # Read environment variables or set default values
 DB_HOST=${DB_HOST:-db}
 DB_PORT_NUMBER=${DB_PORT_NUMBER:-5432}
 MM_DBNAME=${MM_DBNAME:-mattermost}
 MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json}
 if [ "${1:0:1}" = '-' ]; then
    set -- mattermost "$@"
 fi
 if [ "$1" = 'mattermost' ]; then
  # Check CLI args for a -config option
  for ARG in $@;
  do
      case "$ARG" in
          -config=*)
              MM_CONFIG=${ARG#*=};;
      esac
  done
  if [ ! -f "$MM_CONFIG" ]; then
    # If there is no configuration file, create it with some default values
    echo "No configuration file" $MM_CONFIG
    echo "Creating a new one"
    # Copy default configuration file
    cp /config.json.save "$MM_CONFIG"
    # Substitute some parameters with jq
    jq '.ServiceSettings.ListenAddress = ":8000"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.LogSettings.EnableConsole = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.LogSettings.ConsoleLevel = "ERROR"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.FileSettings.Directory = "/mattermost/data/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.FileSettings.EnablePublicLink = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.FileSettings.PublicLinkSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.EmailSettings.SendEmailNotifications = false' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.EmailSettings.FeedbackEmail = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.EmailSettings.SMTPServer = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.EmailSettings.SMTPPort = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.EmailSettings.InviteSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.EmailSettings.PasswordResetSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.RateLimitSettings.Enable = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.SqlSettings.DriverName = "postgres"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.SqlSettings.AtRestEncryptKey = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
    jq '.PluginSettings.Directory = "/mattermost/plugins/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
  else
    echo "Using existing config file $MM_CONFIG"
  fi
  # Configure database access
  if [[ -z "$MM_SQLSETTINGS_DATASOURCE" && ! -z "$MM_USERNAME" && ! -z "$MM_PASSWORD" ]]
  then
    echo -ne "Configure database connection..."
    # URLEncode the password, allowing for special characters
    ENCODED_PASSWORD=$(printf %s $MM_PASSWORD | jq -s -R -r @uri)
    export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=disable&connect_timeout=10"
    echo "OK"
  else
    echo "Using existing database connection"
  fi
  # Wait another second for the database to be properly started.
  # Necessary to avoid "panic: Failed to open sql connection pq: the database system is starting up"
  sleep 1
  echo "Starting mattermost"
 fi
 exec "$@"
--- a/compose/production/mattermost/db/Dockerfile
+++ b/compose/production/mattermost/db/Dockerfile
@ -1,33 +0,0 @@
 FROM postgres:9.4-alpine
 ENV DEFAULT_TIMEZONE UTC
 # Install some packages to use WAL
 RUN echo "azure<5.0.0" > pip-constraints.txt
 RUN apk add --no-cache \
      build-base \
      curl \
      libc6-compat \
      libffi-dev \
      linux-headers \
      python-dev \
      py-pip \
      py-cryptography \
      pv \
      libressl-dev \
    && pip install --upgrade pip \
    && pip --no-cache-dir install -c pip-constraints.txt 'wal-e<1.0.0' envdir \
    && rm -rf /var/cache/apk/* /tmp/* /var/tmp/*
 # Add wale script
 COPY setup-wale.sh /docker-entrypoint-initdb.d/
 #Healthcheck to make sure container is ready
 HEALTHCHECK CMD pg_isready -U $POSTGRES_USER -d $POSTGRES_DB || exit 1
 # Add and configure entrypoint and command
 COPY entrypoint.sh /
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["postgres"]
 VOLUME ["/var/run/postgresql", "/usr/share/postgresql/", "/var/lib/postgresql/data", "/tmp", "/etc/wal-e.d/env"]
--- a/compose/production/mattermost/db/entrypoint.sh
+++ b/compose/production/mattermost/db/entrypoint.sh
@ -1,62 +0,0 @@
 #!/bin/bash
 # if wal-e backup is not enabled, use minimal wal-e logging to reduce disk space
 export WAL_LEVEL=${WAL_LEVEL:-minimal}
 export ARCHIVE_MODE=${ARCHIVE_MODE:-off}
 export ARCHIVE_TIMEOUT=${ARCHIVE_TIMEOUT:-60}
 function update_conf () {
  wal=$1
  # PGDATA is defined in upstream postgres dockerfile
  config_file=$PGDATA/postgresql.conf
  # Check if configuration file exists. If not, it probably means that database is not initialized yet
  if [ ! -f $config_file ]; then
    return
  fi
  # Reinitialize config
  sed -i "s/log_timezone =.*$//g" $PGDATA/postgresql.conf
  sed -i "s/timezone =.*$//g" $PGDATA/postgresql.conf
  sed -i "s/wal_level =.*$//g" $config_file
  sed -i "s/archive_mode =.*$//g" $config_file
  sed -i "s/archive_timeout =.*$//g" $config_file
  sed -i "s/archive_command =.*$//g" $config_file
  # Configure wal-e
  if [ "$wal" = true ] ; then
    /docker-entrypoint-initdb.d/setup-wale.sh
  fi
  echo "log_timezone = $DEFAULT_TIMEZONE" >> $config_file
  echo "timezone = $DEFAULT_TIMEZONE" >> $config_file
 }
 if [ "${1:0:1}" = '-' ]; then
  set -- postgres "$@"
 fi
 if [ "$1" = 'postgres' ]; then
  # Check wal-e variables
  wal_enable=true
  VARS=(AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY WALE_S3_PREFIX AWS_REGION)
  for v in ${VARS[@]}; do
    if [ "${!v}" = "" ]; then
      echo "$v is required for Wal-E but not set. Skipping Wal-E setup."
      wal_enable=false
    fi
  done
  # Setup wal-e env variables
  if [ "$wal_enable" = true ] ; then
    for v in ${VARS[@]}; do
      export $v="${!v}"
    done
    WAL_LEVEL=archive
    ARCHIVE_MODE=on
  fi
  # Update postgresql configuration
  update_conf $wal_enable
  # Run the postgresql entrypoint
  docker-entrypoint.sh postgres
 fi
--- a/compose/production/mattermost/db/setup-wale.sh
+++ b/compose/production/mattermost/db/setup-wale.sh
@ -1,7 +0,0 @@
 #!/bin/bash
 # wal-e specific configuration
 echo "wal_level = $WAL_LEVEL" >> $PGDATA/postgresql.conf
 echo "archive_mode = $ARCHIVE_MODE" >> $PGDATA/postgresql.conf
 echo "archive_command = '/usr/bin/wal-e wal-push %p'" >> $PGDATA/postgresql.conf
 echo "archive_timeout = $ARCHIVE_TIMEOUT" >> $PGDATA/postgresql.conf
--- a/compose/production/mattermost/web/Dockerfile
+++ b/compose/production/mattermost/web/Dockerfile
@ -1,19 +0,0 @@
 FROM nginx:mainline-alpine
 # Remove default configuration and add our custom Nginx configuration files
 RUN rm /etc/nginx/conf.d/default.conf \
    && apk add --no-cache curl
 COPY ["./mattermost", "./mattermost-ssl", "/etc/nginx/sites-available/"]
 COPY ./security.conf /etc/nginx/conf.d/
 # Add and setup entrypoint
 COPY entrypoint.sh /
 #Healthcheck to make sure container is ready
 HEALTHCHECK CMD curl --fail http://localhost:80 || exit 1
 ENTRYPOINT ["/entrypoint.sh"]
 VOLUME ["/var/run", "/etc/nginx/conf.d/", "/var/cache/nginx/"]
--- a/compose/production/mattermost/web/entrypoint.sh
+++ b/compose/production/mattermost/web/entrypoint.sh
@ -1,24 +0,0 @@
 #!/bin/sh
 # Define default value for app container hostname and port
 APP_HOST=${APP_HOST:-app}
 APP_PORT_NUMBER=${APP_PORT_NUMBER:-8000}
 # Check if SSL should be enabled (if certificates exists)
 if [ -f "/cert/cert.pem" -a -f "/cert/key-no-password.pem" ]; then
  echo "found certificate and key, linking ssl config"
  ssl="-ssl"
 else
  echo "linking plain config"
 fi
 # Ensure that the configuration file is not present before linking. 
 test -w /etc/nginx/conf.d/mattermost.conf && rm /etc/nginx/conf.d/mattermost.conf
 # Linking Nginx configuration file
 ln -s -f /etc/nginx/sites-available/mattermost$ssl /etc/nginx/conf.d/mattermost.conf
 # Setup app host and port on configuration file
 sed -i "s/{%APP_HOST%}/${APP_HOST}/g" /etc/nginx/conf.d/mattermost.conf
 sed -i "s/{%APP_PORT%}/${APP_PORT_NUMBER}/g" /etc/nginx/conf.d/mattermost.conf
 # Run Nginx
 exec nginx -g 'daemon off;'
--- a/compose/production/mattermost/web/mattermost
+++ b/compose/production/mattermost/web/mattermost
@ -1,39 +0,0 @@
 map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
 }
 server {
    listen 80;
    location ~ /api/v[0-9]+/(users/)?websocket$ {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        client_max_body_size 50M;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
        proxy_set_header X-Frame-Options SAMEORIGIN;
        proxy_buffers 256 16k;
        proxy_buffer_size 16k;
        proxy_read_timeout 600s;
        proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
    }
    location / {
        gzip on;
        client_max_body_size 50M;
        proxy_set_header Connection "";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
        proxy_set_header X-Frame-Options SAMEORIGIN;
        proxy_buffers 256 16k;
        proxy_buffer_size 16k;
        proxy_read_timeout 600s;
        proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
    }
 }
--- a/compose/production/mattermost/web/mattermost-ssl
+++ b/compose/production/mattermost/web/mattermost-ssl
@ -1,57 +0,0 @@
 server {
 	listen 80 default_server;
 	server_name _;
 	return 301 https://$host$request_uri;
 }
 map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
 }
 server {
    listen 443 ssl http2;
    ssl_certificate /cert/cert.pem;
    ssl_certificate_key /cert/key-no-password.pem;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:MEDIUM:!SSLv2:!PSK:!SRP:!ADH:!AECDH;
    ssl_prefer_server_ciphers on;
    location ~ /api/v[0-9]+/(users/)?websocket$ {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header Connection "upgrade";
        client_max_body_size 50M;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
        proxy_set_header X-Frame-Options SAMEORIGIN;
        proxy_buffers 256 16k;
        proxy_buffer_size 16k;
        proxy_read_timeout 600s;
 	proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
    }
    location / {
        gzip on;
        proxy_set_header X-Forwarded-Ssl on;
        client_max_body_size 50M;
        proxy_set_header Connection "";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
        proxy_set_header X-Frame-Options SAMEORIGIN;
        proxy_buffers 256 16k;
        proxy_buffer_size 16k;
        proxy_read_timeout 600s;
 	proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
    }
 }
 # See https://docs.mattermost.com/install/install-ubuntu-1604.html#configuring-nginx-with-ssl-and-http-2 for the SSL configuration
--- a/compose/production/mattermost/web/security.conf
+++ b/compose/production/mattermost/web/security.conf
@ -1,22 +0,0 @@
 # don't send the nginx version number in error pages and Server header
 server_tokens off;
 # config to don't allow the browser to render the page inside an frame or iframe
 # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
 # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
 # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
 add_header X-Frame-Options SAMEORIGIN;
 # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
 # to disable content-type sniffing on some browsers.
 # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
 # currently supported in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
 # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
 # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
 add_header X-Content-Type-Options nosniff;
 # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
 # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 
 # this particular website if it was disabled by the user.
 # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
 add_header X-XSS-Protection "1; mode=block";