mmctl patch draft

Reviewed-on: #4

.drone.yml

@@ -3,10 +3,12 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: mattermost
+      networks:
+       - proxy
       purge: true
       deploy_key:
         from_secret: drone_ssh_swarm_test
@@ -24,33 +26,26 @@ steps:
         from_secret: autono_bot_access_token
     depends_on:
     - deployment
-  when:
-    status:
-      - failure
+    when:
+      status:
+        - failure
 trigger:
   branch:
     - main
 
 ---
 kind: pipeline
-name: recipe release
+name: generate recipe catalogue
 steps:
   - name: release a new version
-    image: decentral1se/drone-abra:latest
-    settings:
-      command: recipe mattermost release
-      deploy_key:
-        from_secret: abra_bot_deploy_key
-
-  - name: trigger downstream builds
     image: plugins/downstream
     settings:
-      server: https://drone.autonomic.zone
+      server: https://build.coopcloud.tech
       token:
-        from_secret: decentral1se_token
+        from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-apps-json
-    depends_on:
-      - release a new version
-on
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -9,8 +9,31 @@ LETS_ENCRYPT_ENV=production
 # Secret Versions
 SECRET_POSTGRES_PASSWORD_VERSION=v1
 
+COMPOSE_FILE="compose.yml"
+
 # Container Settings
 ## Timezone inside the containers. The value needs to be in the form 'Europe/Berlin'.
 ## A list of these tz database names can be looked up at Wikipedia
 ## https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
 TZ=UTC
+
+ORG_NAME="My Organization"
+
+## Email Support
+#COMPOSE_FILE="$COMPOSE_FILE:compose.email.yml"
+#ORG_EMAIL_ADDRESS="youruser@youremail.org"
+#SMTP_USER="youruser"
+#SECRET_SMTP_PASS_VERSION=v1
+#SMTP_HOST=""
+#SMTP_PORT=587
+#SMTP_SECURITY=STARTTLS #TLS or STARTTLS
+
+## SSO config
+#COMPOSE_FILE="$COMPOSE_FILE:compose.sso.yml"
+#SSO_DOMAIN=accounts.example.com
+#SSO_APP=mattermost
+#SSO_ID=
+#SECRET_MATTERMOST_SSO_SECRET_VERSION=v1
+
+## Enable enterprise version (requires a valid license)
+#COMPOSE_FILE="$COMPOSE_FILE:compose.license.yml"

README.md

@@ -2,14 +2,14 @@
 
 <!-- metadata -->
 
-* **Category**:
-* **Status**: 
-* **Image**:
-* **Healthcheck**: N
-* **Backups**: N
-* **Email**: 
-* **Tests**: N
-* **SSO**: N
+* **Category**: Apps
+* **Status**: 3
+* **Image**: [`mattermost/mattermost-team-edition`](https://hub.docker.com/r/mattermost/mattermost-team-edition), 4, upstream
+* **Healthcheck**: No
+* **Backups**: Yes
+* **Email**: 1
+* **Tests**: 2
+* **SSO**: No
 
 <!-- endmetadata -->
 
@@ -24,5 +24,68 @@
 5. `abra app deploy YOURAPPNAME`
 6. Open the configured domain in your browser to finish set-up
 
+## Enable Email
+**WARNING: Following these steps will overwrite the configuration of your Mattermost instance. Probably only run it on a fresh deployment.**
+- `abra app config YOURAPPNAME`
+- Uncomment the section starting with **Email Support**
+- `abra app secret i YOURAPPNAME smtp_pass v1 'yourSMTPpassword'`
+- `abra app undeploy YOURAPPNAME`
+- `abra app deploy YOURAPPNAME`
+- `abra app command -C YOURAPPNAME app reset_config` <- This will overwrite your configuration
+
+## Enable SSO with Authentik
+This is how to configure your Mattermost server to accept logins from your Authentik SSO provider.
+
+### Configure Authentik
+#### Create a property mapping
+- Log in as administrator of your Authentik instance
+- Go to https://authentik.yourserver.org/if/admin/#/core/property-mappings and choose **Create**
+- Choose Scope Mapping
+   - Name: `Mattermost ID`
+   - Scope Name: `id`
+   - Description: *optional own description*
+   - Expression: `return { "id": request.user.id }`
+- Create another Scope Mapping
+   - Name: `Mattermost Username`
+   - Scope Name: `username`
+   - Description: *optional own description*
+   - Expression: `return { "username": request.user.username }`
+#### Create Application and Provider
+- Go to https://authentik.yourserver.org/if/admin/#/core/applications and choose **Create With Wizard**
+   - Application Name: mattermost
+   - **Next**
+   - Choose OAuth2/OIDC
+   - Set Authorization flow: `default-provider-authorization-implicit-consent (Authorize Application)`
+   - Copy the **Client ID** and **Client Secret**, you'll need them later
+   - Add Redirect URIs:
+      - https://mattermost.yourserver.org/login/gitlab/complete
+      - https://mattermost.yourserver.org/signup/gitlab/complete
+   - Expand Advanced Protocol Settings
+   - Under Scopes, select `Mattermost ID` and `Mattermost Username`, and click the > to add them to **Selected Scopes**
+   - **Submit**
+
+### Configure Mattermost
+**WARNING: Following these steps will overwrite the configuration of your Mattermost instance. Probably only run it on a fresh deployment.**
+- `abra app configure YOURAPPNAME`
+   - Uncomment the section starting with `## SSO config`
+   - Set `SSO_ID` to the value you saved when configuring Authentik
+- `abra app secret insert YOURAPPNAME mattermost_sso_secret v1 <the authentik provider secret you saved>`
+- `abra app undeploy YOURAPPNAME`
+- `abra app deploy YOURAPPNAME`
+- `abra app command -C YOURAPPNAME app reset_config` <- This will overwrite your configuration
+
+### Disable non-SSO login (Optional)
+- Ensure that your SSO user has the **System Admin** role: https://YOURAPPNAME/admin_console/user_management/users
+- Go to https://YOURAPPNAME/admin_console/authentication/email
+- Set **Enable sign-in with email** and **Enable sign-in with username** to `false`
+
+## Use a Mattermost Enterprise License
+**NOTE: This deploys non-FOSS code and requires you to pay Mattermost for a license to enable features. Not recommended unless you know what you're doing.**
+- `abra app config YOURAPPNAME`
+- Uncomment the section which starts with `## Enable enterprise version`
+- `abra app undeploy YOURAPPNAME`
+- `abra app deploy YOURAPPNAME`
+
+
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik

abra.sh

@@ -1 +1,7 @@
 export ENTRYPOINT_VERSION=v1
+export MATTERMOST_CONFIG_VERSION=v1
+
+reset_config() {
+    cp /config-to-copy.json /mattermost/config/config.json && touch /mattermost/config/CoopCloudManaged
+    mmctl config reload --local
+}

backup-mattermost.sh

@@ -0,0 +1,21 @@
+if [ "$1" == "pre-backup" ]; then
+  exit
+fi
+
+if [ "$1" == "pre-backup" ]; then
+  exit
+fi
+
+if [ "$1" == "pre-restore" ]; then
+  # kill the running plugins that need to be overwritten
+  pkill -f '.*plugins'
+  sleep 40
+  pkill -f '.*plugins'
+  sleep 40
+  pkill -f '.*plugins'
+fi
+
+if [ "$1" == "post-restore" ]; then
+  # kill mattermost so that the container restarts
+  pkill -f mattermost
+fi

backup-postgres.sh

@@ -0,0 +1,19 @@
+if [ "$1" == "pre-backup" ]; then
+  # Remove any existing db dump and then create a new one
+  rm -rf /var/lib/postgresql/data/postgres-backup
+  PGPASSWORD=$(cat ${POSTGRES_PASSWORD_FILE}) pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} --format=directory -f /var/lib/postgresql/data/postgres-backup
+  exit
+fi
+
+if [ "$1" == "post-backup" ]; then
+  rm -rf /var/lib/postgresql/data/postgres-backup
+  exit
+fi
+
+if [ "$1" == "pre-restore" ]; then
+  exit
+fi
+
+if [ "$1" == "post-restore" ]; then
+  pg_restore -U $POSTGRES_USER -d $POSTGRES_DB -c /var/lib/postgresql/data/postgres-backup
+fi

compose.email.yml

@@ -0,0 +1,20 @@
+version: "3.8"
+
+services:
+  app:
+    configs:
+      - source: mattermost_config
+        target: /config-to-copy.json
+    secrets:
+      - smtp_pass
+
+secrets:
+  smtp_pass:
+    external: true
+    name: ${STACK_NAME}_smtp_pass_${SECRET_SMTP_PASS_VERSION}
+
+configs:
+  mattermost_config:
+    name: ${STACK_NAME}_mattermost_config_${MATTERMOST_CONFIG_VERSION}
+    file: ./config.json.tmpl
+    template_driver: golang

compose.license.yml

@@ -0,0 +1,5 @@
+version: "3.8"
+
+services:
+  app:
+    image: mattermost/mattermost-enterprise-edition:10.5.0

compose.sso.yml

@@ -0,0 +1,20 @@
+version: "3.8"
+
+services:
+  app:
+    configs:
+      - source: mattermost_config
+        target: /config-to-copy.json
+    secrets:
+      - mattermost_sso_secret
+
+secrets:
+  mattermost_sso_secret:
+    external: true
+    name: ${STACK_NAME}_mattermost_sso_secret_${SECRET_MATTERMOST_SSO_SECRET_VERSION}
+
+configs:
+  mattermost_config:
+    name: ${STACK_NAME}_mattermost_config_${MATTERMOST_CONFIG_VERSION}
+    file: ./config.json.tmpl
+    template_driver: golang

compose.yml

@@ -2,7 +2,7 @@ version: "3.8"
 
 services:
   app:
-    image: mattermost/mattermost-team-edition:8.0.1
+    image: mattermost/mattermost-team-edition:10.5.0
     environment:
       - TZ
       - MM_SQLSETTINGS_DRIVERNAME=postgres
@@ -28,11 +28,23 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+8.0.1"
+        - "coop-cloud.${STACK_NAME}.version=2.1.0+10.5.0"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/mattermost,/etc/ssl"
+        - "backupbot.restore.pre-hook=/backup.sh pre-restore"
+        - "backupbot.restore.post-hook=/backup.sh post-restore"
     configs:
       - source: abra_mattermost_entrypoint
         target: /abra-mattermost-entrypoint.sh
         mode: 0555
+      - source: backup-mattermost
+        target: /backup.sh
+        mode: 0777
+      - source: mattermost-config
+        target: /config-to-copy.json
+      - source: config-patch
+        target: /config-patch.json
     secrets:
       - postgres_password
     entrypoint: /abra-mattermost-entrypoint.sh
@@ -46,11 +58,21 @@ services:
       - POSTGRES_USER=mattermost
       - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
       - POSTGRES_DB=mattermost
+    configs:
+      - source: backup-postgres
+        target: /backup.sh
+        mode: 0777
     secrets:
       - postgres_password
     networks:
       - internal
-
+    deploy:
+      labels:
+        backupbot.backup: "true"
+        backupbot.backup.path: "/var/lib/postgresql/data/"
+        backupbot.backup.pre-hook: "/backup.sh pre-backup"
+        backupbot.backup.post-hook: "/backup.sh post-backup"
+        backupbot.restore.post-hook: "/backup.sh post-restore"
 
 secrets:
   postgres_password:
@@ -61,6 +83,20 @@ configs:
   abra_mattermost_entrypoint:
     name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
     file: ./entrypoint.sh
+  backup-mattermost:
+    name: backup-mattermost
+    file: ./backup-mattermost.sh
+  backup-postgres:
+    name: backup-postgres
+    file: ./backup-postgres.sh
+  mattermost_config:
+    name: ${STACK_NAME}_mattermost_config_${MATTERMOST_CONFIG_VERSION}
+    file: ./config.json.tmpl
+    template_driver: golang
+  config_patch:
+    name: ${STACK_NAME}_config_patch_${MATTERMOST_CONFIG_PATCH_VERSION}
+    file: ./config-patch.json.tmpl
+    template_driver: golang
 
 networks:
   proxy:

config-patch.email.json.tmpl

@@ -0,0 +1,18 @@
+{
+    "EmailSettings": {
+        "FeedbackName": "{{ env "ORG_NAME" }}",
+        "FeedbackEmail": "{{ env "ORG_EMAIL_ADDRESS" }}",
+        "ReplyToAddress": "{{ env "ORG_EMAIL_ADDRESS" }}",
+        "EnableSMTPAuth": true,
+        "SMTPUsername": "{{ env "SMTP_USER" }}",
+        "SMTPPassword": "{{ secret "smtp_pass" }}",
+        "SMTPServer": "{{ env "SMTP_HOST" }}",
+        "SMTPPort": "{{ env "SMTP_PORT" }}",
+        "ConnectionSecurity": "{{ env "SMTP_SECURITY" }}",
+    },
+    "SupportSettings": {
+        "SupportEmail": "{{ env "ORG_EMAIL_ADDRESS" }}"
+    },
+    "CoopCloudManaged": {        
+    }
+}

config-patch.json.tmpl

@@ -0,0 +1,8 @@
+{
+    "ServiceSettings": {
+        "EnableLocalMode": true,
+        "LocalModeSocketLocation": "/var/tmp/mattermost_local.socket"
+    },
+    "CoopCloudManaged": {        
+    }
+}

config-patch.sso.json.tmpl

@@ -0,0 +1,16 @@
+{
+    "GitLabSettings": {
+        "Enable": true,
+        "Secret": "{{ secret "mattermost_sso_secret" }}",
+        "Id": "{{ env "SSO_ID" }}",
+        "Scope": "",
+        "AuthEndpoint": "https://{{ env "SSO_DOMAIN" }}/application/o/authorize/",
+        "TokenEndpoint": "https://{{ env "SSO_DOMAIN" }}/application/o/token/",
+        "UserAPIEndpoint": "https://{{ env "SSO_DOMAIN" }}/application/o/userinfo/",
+        "DiscoveryEndpoint": "https://{{ env "SSO_DOMAIN" }}/application/o/{{ env "SSO_APP" }}/.well-known/openid-configuration",
+        "ButtonText": "{{ env "ORG_NAME" }}",
+        "ButtonColor": "#ff0000"
+    },
+    "CoopCloudManaged": {        
+    }
+}

entrypoint.sh

@@ -15,5 +15,11 @@ else
     exit 1
 fi
 
+# If the default Mattermost config hasn't already been replaced
+# by the templated config this recipe generates, replace it
+if ! test -f "/mattermost/config/CoopCloudManaged"; then
+    cp /config-to-copy.json /mattermost/config/config.json && touch /mattermost/config/CoopCloudManaged
+fi
+
 # https://github.com/mattermost/mattermost-server/blob/master/build/Dockerfile
-/entrypoint.sh "mattermost"
+/entrypoint.sh "mattermost"

release/0.1.0+7.0.txt

@@ -0,0 +1,6 @@
+This should be a fairly stable update. The only strange behaviour we've noticed so far has been:
+
+- When clicking on 'Channels' to change to 'Boards' or 'Playbooks', your window may flicker and just reload 'Channels'. Click 'Boards' or 'Playbooks' again and it should behave as expected.
+- When clicking on private messages, you may get an error telling you that you don't have permission to view these.
+
+To fix both of these errors, logout of your server in your Mattermost client, delete the server (if you are using an app), and then re-add it. We haven't noticed any issues after doing this.

release/1.4.1+9.5.11

@@ -0,0 +1 @@
+hotfix: rollback to last functional version

release/2.0.0+10.5.0

@@ -0,0 +1 @@
+Note that the first time you enable the email or sso configurations it will reset your existing Mattermost configuration.