new backup scripts

Reviewed-on: #3

.drone.yml

@@ -3,10 +3,12 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: mattermost
+      networks:
+       - proxy
       purge: true
       deploy_key:
         from_secret: drone_ssh_swarm_test
@@ -24,33 +26,26 @@ steps:
         from_secret: autono_bot_access_token
     depends_on:
     - deployment
-  when:
-    status:
-      - failure
+    when:
+      status:
+        - failure
 trigger:
   branch:
     - main
 
 ---
 kind: pipeline
-name: recipe release
+name: generate recipe catalogue
 steps:
   - name: release a new version
-    image: decentral1se/drone-abra:latest
-    settings:
-      command: recipe mattermost release
-      deploy_key:
-        from_secret: abra_bot_deploy_key
-
-  - name: trigger downstream builds
     image: plugins/downstream
     settings:
-      server: https://drone.autonomic.zone
+      server: https://build.coopcloud.tech
       token:
-        from_secret: decentral1se_token
+        from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-apps-json
-    depends_on:
-      - release a new version
-on
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -9,20 +9,28 @@ LETS_ENCRYPT_ENV=production
 # Secret Versions
 SECRET_POSTGRES_PASSWORD_VERSION=v1
 
+COMPOSE_FILE="compose.yml"
+
 # Container Settings
 ## Timezone inside the containers. The value needs to be in the form 'Europe/Berlin'.
 ## A list of these tz database names can be looked up at Wikipedia
 ## https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
 TZ=UTC
 
-## Make Mattermost container readonly. This interferes with the regeneration of root.html inside the container. Only use
-## it if you know what you're doing.
-## See https://github.com/mattermost/docker/issues/18
-MATTERMOST_CONTAINER_READONLY=false
-
-## Additional configuration settings for Mattermost. Documentation on the variables and the settings itself can be found at
-## https://docs.mattermost.com/administration/config-settings.html
-## Keep in mind that variables set here will take precedence over the same setting in config.json. This includes
-## the system console as well and settings set with env variables will be greyed out.
+ORG_NAME="My Organization"
 
+## Email Support
+#COMPOSE_FILE="$COMPOSE_FILE:compose.email.yml"
+#ORG_EMAIL_ADDRESS="youruser@youremail.org"
+#SMTP_USER="youruser"
+#SECRET_SMTP_PASS_VERSION=v1
+#SMTP_HOST=""
+#SMTP_PORT=587
+#SMTP_SECURITY=STARTTLS #TLS or STARTTLS
 
+## SSO config
+#COMPOSE_FILE="$COMPOSE_FILE:compose.sso.yml"
+#SSO_DOMAIN=accounts.example.com
+#SSO_APP=mattermost
+#SSO_ID=
+#SECRET_MATTERMOST_SSO_SECRET_VERSION=v1

README.md

@@ -2,14 +2,14 @@
 
 <!-- metadata -->
 
-* **Category**:
-* **Status**: 
-* **Image**:
-* **Healthcheck**: N
-* **Backups**: N
-* **Email**: 
-* **Tests**: N
-* **SSO**: N
+* **Category**: Apps
+* **Status**: 3
+* **Image**: [`mattermost/mattermost-team-edition`](https://hub.docker.com/r/mattermost/mattermost-team-edition), 4, upstream
+* **Healthcheck**: No
+* **Backups**: Yes
+* **Email**: 1
+* **Tests**: 2
+* **SSO**: No
 
 <!-- endmetadata -->
 
@@ -24,5 +24,61 @@
 5. `abra app deploy YOURAPPNAME`
 6. Open the configured domain in your browser to finish set-up
 
+## Enable Email
+**WARNING: Following these steps will overwrite the configuration of your Mattermost instance. Probably only run it on a fresh deployment.**
+- `abra app config YOURAPPNAME`
+- Uncomment the section starting with **Email Support**
+- `abra app secret i YOURAPPNAME smtp_pass v1 'yourSMTPpassword'`
+- `abra app undeploy YOURAPPNAME`
+- `abra app deploy YOURAPPNAME`
+- `abra app command -C YOURAPPNAME app reset_config` <- This will overwrite your configuration
+
+## Enable SSO with Authentik
+This is how to configure your Mattermost server to accept logins from your Authentik SSO provider.
+
+### Configure Authentik
+#### Create a property mapping
+- Log in as administrator of your Authentik instance
+- Go to https://authentik.yourserver.org/if/admin/#/core/property-mappings and choose **Create**
+- Choose Scope Mapping
+   - Name: `Mattermost ID`
+   - Scope Name: `id`
+   - Description: *optional own description*
+   - Expression: `return { "id": request.user.id }`
+- Create another Scope Mapping
+   - Name: `Mattermost Username`
+   - Scope Name: `username`
+   - Description: *optional own description*
+   - Expression: `return { "username": request.user.username }`
+#### Create Application and Provider
+- Go to https://authentik.yourserver.org/if/admin/#/core/applications and choose **Create With Wizard**
+   - Application Name: mattermost
+   - **Next**
+   - Choose OAuth2/OIDC
+   - Set Authorization flow: `default-provider-authorization-implicit-consent (Authorize Application)`
+   - Copy the **Client ID** and **Client Secret**, you'll need them later
+   - Add Redirect URIs:
+      - https://mattermost.yourserver.org/login/gitlab/complete
+      - https://mattermost.yourserver.org/signup/gitlab/complete
+   - Expand Advanced Protocol Settings
+   - Under Scopes, select `Mattermost ID` and `Mattermost Username`, and click the > to add them to **Selected Scopes**
+   - **Submit**
+
+### Configure Mattermost
+**WARNING: Following these steps will overwrite the configuration of your Mattermost instance. Probably only run it on a fresh deployment.**
+- `abra app configure YOURAPPNAME`
+   - Uncomment the section starting with `## SSO config`
+   - Set `SSO_ID` to the value you saved when configuring Authentik
+- `abra app secret insert YOURAPPNAME mattermost_sso_secret v1 <the authentik provider secret you saved>`
+- `abra app undeploy YOURAPPNAME`
+- `abra app deploy YOURAPPNAME`
+- `abra app command -C YOURAPPNAME app reset_config` <- This will overwrite your configuration
+
+### Disable non-SSO login (Optional)
+- Ensure that your SSO user has the **System Admin** role: https://YOURAPPNAME/admin_console/user_management/users
+- Go to https://YOURAPPNAME/admin_console/authentication/email
+- Set **Enable sign-in with email** and **Enable sign-in with username** to `false`
+
+
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik

abra.sh

@@ -0,0 +1,7 @@
+export ENTRYPOINT_VERSION=v1
+export MATTERMOST_CONFIG_VERSION=v1
+
+reset_config() {
+    cp /config-to-copy.json /mattermost/config/config.json && touch /mattermost/config/CoopCloudManaged
+    mmctl config reload --local
+}

backup-mattermost.sh

@@ -0,0 +1,16 @@
+if [ "$1" == "pre-backup" ]; then
+  exit
+fi
+
+if [ "$1" == "pre-backup" ]; then
+  exit
+fi
+
+if [ "$1" == "pre-restore" ]; then
+  # kill the running plugins that need to be overwritten
+  pkill plugins
+fi
+
+if [ "$1" == "post-restore" ]; then
+  mmctl config reload --local
+fi

backup-postgres.sh

@@ -0,0 +1,15 @@
+if [ "$1" == "pre-backup" ]; then
+  exit
+fi
+
+if [ "$1" == "post-backup" ]; then
+  exit
+fi
+
+if [ "$1" == "pre-restore" ]; then
+  exit
+fi
+
+if [ "$1" == "post-restore" ]; then
+  pg_restore -U $POSTGRES_USER -d $POSTGRES_DB -c /var/lib/postgresql/data/postgres-backup
+fi

compose.email.yml

@@ -0,0 +1,20 @@
+version: "3.8"
+
+services:
+  app:
+    configs:
+      - source: mattermost_config
+        target: /config-to-copy.json
+    secrets:
+      - smtp_pass
+
+secrets:
+  smtp_pass:
+    external: true
+    name: ${STACK_NAME}_smtp_pass_${SECRET_SMTP_PASS_VERSION}
+
+configs:
+  mattermost_config:
+    name: ${STACK_NAME}_mattermost_config_${MATTERMOST_CONFIG_VERSION}
+    file: ./config.json.tmpl
+    template_driver: golang

compose.sso.yml

@@ -0,0 +1,20 @@
+version: "3.8"
+
+services:
+  app:
+    configs:
+      - source: mattermost_config
+        target: /config-to-copy.json
+    secrets:
+      - mattermost_sso_secret
+
+secrets:
+  mattermost_sso_secret:
+    external: true
+    name: ${STACK_NAME}_mattermost_sso_secret_${SECRET_MATTERMOST_SSO_SECRET_VERSION}
+
+configs:
+  mattermost_config:
+    name: ${STACK_NAME}_mattermost_config_${MATTERMOST_CONFIG_VERSION}
+    file: ./config.json.tmpl
+    template_driver: golang

compose.yml

@@ -1,50 +1,19 @@
 version: "3.8"
 
 services:
-  postgres:
-    image: postgres:13-alpine
-    security_opt:
-      - no-new-privileges:true
-    tmpfs:
-      - /tmp
-      - /var/run/postgresql
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
-    environment:
-      # timezone inside container
-      - TZ
-
-      # necessary Postgres options/variables
-      - POSTGRES_USER=mattermost
-      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
-      - POSTGRES_DB=mattermost
-    secrets:
-      - postgres_password
-    networks:
-      - internal
-
   app:
-    image: mattermost/mattermost-team-edition:5.39
-    security_opt:
-      - no-new-privileges:true
-    read_only: ${MATTERMOST_CONTAINER_READONLY}
-    tmpfs:
-      - /tmp
+    image: mattermost/mattermost-team-edition:10.5.0
+    environment:
+      - TZ
+      - MM_SQLSETTINGS_DRIVERNAME=postgres
+      - MM_SERVICESETTINGS_SITEURL=https://${DOMAIN}
     volumes:
       - mattermost_config:/mattermost/config:rw
       - mattermost_data:/mattermost/data:rw
       - mattermost_logs:/mattermost/logs:rw
       - mattermost_plugins:/mattermost/plugins:rw
       - mattermost_client_plugins:/mattermost/client/plugins:rw
-    environment:
-      # timezone inside container
-      - TZ
-
-      # necessary Mattermost options/variables (see env.sample)
-      - MM_SQLSETTINGS_DRIVERNAME=postgres
-
-      # additional settings
-      - MM_SERVICESETTINGS_SITEURL=https://${DOMAIN}
+      - mattermost_certs:/etc/ssl/certs:ro
     networks:
       - proxy
       - internal
@@ -59,6 +28,12 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "coop-cloud.${STACK_NAME}.version=1.5.3+9.11.8"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/mattermost,/etc/ssl"
+        - "backupbot.restore.pre-hook=/restore.sh pre"
+        - "backupbot.restore.post-hook=/restore.sh post"
     configs:
       - source: abra_mattermost_entrypoint
         target: /abra-mattermost-entrypoint.sh
@@ -67,6 +42,27 @@ services:
       - postgres_password
     entrypoint: /abra-mattermost-entrypoint.sh
 
+  postgres:
+    image: postgres:15-alpine
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    environment:
+      - TZ
+      - POSTGRES_USER=mattermost
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+      - POSTGRES_DB=mattermost
+    secrets:
+      - postgres_password
+    networks:
+      - internal
+    deploy:
+      labels:
+        backupbot.backup: "true"
+        backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} --format=directory -f /var/lib/postgresql/data/postgres-backup"
+        backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/postgres-backup"
+        backupbot.backup.path: "/var/lib/postgresql/data/"
+        backupbot.restore.post-hook: "/backup-postgres.sh post"
+
 secrets:
   postgres_password:
     external: true
@@ -74,8 +70,9 @@ secrets:
 
 configs:
   abra_mattermost_entrypoint:
-    name: abra_mattermost_entrypoint
-    file: ./abra-mattermost-entrypoint.sh
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: ./entrypoint.sh
+
 
 networks:
   proxy:
@@ -85,8 +82,8 @@ networks:
 volumes:
   postgres_data:
   mattermost_config:
+  mattermost_certs:
   mattermost_data:
   mattermost_logs:
   mattermost_plugins:
   mattermost_client_plugins:
-

config.json.tmpl

@@ -0,0 +1,686 @@
+{
+    "ServiceSettings": {
+        "SiteURL": "",
+        "WebsocketURL": "",
+        "LicenseFileLocation": "",
+        "ListenAddress": ":8065",
+        "ConnectionSecurity": "",
+        "TLSCertFile": "",
+        "TLSKeyFile": "",
+        "TLSMinVer": "1.2",
+        "TLSStrictTransport": false,
+        "TLSStrictTransportMaxAge": 63072000,
+        "TLSOverwriteCiphers": [],
+        "UseLetsEncrypt": false,
+        "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
+        "Forward80To443": false,
+        "TrustedProxyIPHeader": [],
+        "ReadTimeout": 300,
+        "WriteTimeout": 300,
+        "IdleTimeout": 60,
+        "MaximumLoginAttempts": 10,
+        "GoroutineHealthThreshold": -1,
+        "EnableOAuthServiceProvider": true,
+        "EnableIncomingWebhooks": true,
+        "EnableOutgoingWebhooks": true,
+        "EnableOutgoingOAuthConnections": false,
+        "EnableCommands": true,
+        "OutgoingIntegrationRequestsTimeout": 30,
+        "EnablePostUsernameOverride": false,
+        "EnablePostIconOverride": false,
+        "GoogleDeveloperKey": "",
+        "EnableLinkPreviews": true,
+        "EnablePermalinkPreviews": true,
+        "RestrictLinkPreviews": "",
+        "EnableTesting": false,
+        "EnableDeveloper": false,
+        "DeveloperFlags": "",
+        "EnableClientPerformanceDebugging": false,
+        "EnableOpenTracing": false,
+        "EnableSecurityFixAlert": true,
+        "EnableInsecureOutgoingConnections": false,
+        "AllowedUntrustedInternalConnections": "",
+        "EnableMultifactorAuthentication": false,
+        "EnforceMultifactorAuthentication": false,
+        "EnableUserAccessTokens": false,
+        "AllowCorsFrom": "",
+        "CorsExposedHeaders": "",
+        "CorsAllowCredentials": false,
+        "CorsDebug": false,
+        "AllowCookiesForSubdomains": false,
+        "ExtendSessionLengthWithActivity": true,
+        "TerminateSessionsOnPasswordChange": true,
+        "SessionLengthWebInDays": 30,
+        "SessionLengthWebInHours": 720,
+        "SessionLengthMobileInDays": 30,
+        "SessionLengthMobileInHours": 720,
+        "SessionLengthSSOInDays": 30,
+        "SessionLengthSSOInHours": 720,
+        "SessionCacheInMinutes": 10,
+        "SessionIdleTimeoutInMinutes": 43200,
+        "WebsocketSecurePort": 443,
+        "WebsocketPort": 80,
+        "WebserverMode": "gzip",
+        "EnableGifPicker": true,
+        "GiphySdkKey": "",
+        "EnableCustomEmoji": true,
+        "EnableEmojiPicker": true,
+        "PostEditTimeLimit": -1,
+        "TimeBetweenUserTypingUpdatesMilliseconds": 5000,
+        "EnablePostSearch": true,
+        "EnableFileSearch": true,
+        "MinimumHashtagLength": 3,
+        "EnableUserTypingMessages": true,
+        "EnableChannelViewedMessages": true,
+        "EnableUserStatuses": true,
+        "ExperimentalEnableAuthenticationTransfer": true,
+        "ClusterLogTimeoutMilliseconds": 2000,
+        "EnableTutorial": true,
+        "EnableOnboardingFlow": true,
+        "ExperimentalEnableDefaultChannelLeaveJoinMessages": true,
+        "ExperimentalGroupUnreadChannels": "disabled",
+        "EnableAPITeamDeletion": false,
+        "EnableAPITriggerAdminNotifications": false,
+        "EnableAPIUserDeletion": false,
+        "EnableAPIPostDeletion": false,
+        "EnableDesktopLandingPage": true,
+        "ExperimentalEnableHardenedMode": false,
+        "ExperimentalStrictCSRFEnforcement": false,
+        "EnableEmailInvitations": false,
+        "DisableBotsWhenOwnerIsDeactivated": true,
+        "EnableBotAccountCreation": false,
+        "EnableSVGs": false,
+        "EnableLatex": false,
+        "EnableInlineLatex": true,
+        "PostPriority": true,
+        "AllowPersistentNotifications": true,
+        "AllowPersistentNotificationsForGuests": false,
+        "PersistentNotificationIntervalMinutes": 5,
+        "PersistentNotificationMaxCount": 6,
+        "PersistentNotificationMaxRecipients": 5,
+        "EnableAPIChannelDeletion": false,
+        "EnableLocalMode": true,
+        "LocalModeSocketLocation": "/var/tmp/mattermost_local.socket",
+        "EnableAWSMetering": false,
+        "SplitKey": "",
+        "FeatureFlagSyncIntervalSeconds": 30,
+        "DebugSplit": false,
+        "ThreadAutoFollow": true,
+        "CollapsedThreads": "always_on",
+        "ManagedResourcePaths": "",
+        "EnableCustomGroups": true,
+        "AllowSyncedDrafts": true,
+        "UniqueEmojiReactionLimitPerPost": 50,
+        "RefreshPostStatsRunTime": "00:00",
+        "MaximumPayloadSizeBytes": 300000,
+        "MaximumURLLength": 2048,
+        "ScheduledPosts": true
+    },
+    "TeamSettings": {
+        "SiteName": "Mattermost",
+        "MaxUsersPerTeam": 50,
+        "EnableJoinLeaveMessageByDefault": true,
+        "EnableUserCreation": true,
+        "EnableOpenServer": false,
+        "EnableUserDeactivation": false,
+        "RestrictCreationToDomains": "",
+        "EnableCustomUserStatuses": true,
+        "EnableCustomBrand": false,
+        "CustomBrandText": "",
+        "CustomDescriptionText": "",
+        "RestrictDirectMessage": "any",
+        "EnableLastActiveTime": true,
+        "UserStatusAwayTimeout": 300,
+        "MaxChannelsPerTeam": 2000,
+        "MaxNotificationsPerChannel": 1000,
+        "EnableConfirmNotificationsToChannel": true,
+        "TeammateNameDisplay": "username",
+        "ExperimentalViewArchivedChannels": true,
+        "ExperimentalEnableAutomaticReplies": false,
+        "LockTeammateNameDisplay": false,
+        "ExperimentalPrimaryTeam": "",
+        "ExperimentalDefaultChannels": []
+    },
+    "ClientRequirements": {
+        "AndroidLatestVersion": "",
+        "AndroidMinVersion": "",
+        "IosLatestVersion": "",
+        "IosMinVersion": ""
+    },
+    "SqlSettings": {
+        "DriverName": "postgres",
+        "DataSource": "postgres://mmuser:mostest@localhost/mattermost_test?sslmode=disable\u0026connect_timeout=10\u0026binary_parameters=yes",
+        "DataSourceReplicas": [],
+        "DataSourceSearchReplicas": [],
+        "MaxIdleConns": 20,
+        "ConnMaxLifetimeMilliseconds": 3600000,
+        "ConnMaxIdleTimeMilliseconds": 300000,
+        "MaxOpenConns": 300,
+        "Trace": false,
+        "AtRestEncryptKey": "etcbtej9ar4b5ickh9kqmmmbwkgnd9ds",
+        "QueryTimeout": 30,
+        "DisableDatabaseSearch": false,
+        "MigrationsStatementTimeoutSeconds": 100000,
+        "ReplicaLagSettings": [],
+        "ReplicaMonitorIntervalSeconds": 5
+    },
+    "LogSettings": {
+        "EnableConsole": true,
+        "ConsoleLevel": "INFO",
+        "ConsoleJson": true,
+        "EnableColor": false,
+        "EnableFile": true,
+        "FileLevel": "INFO",
+        "FileJson": true,
+        "FileLocation": "",
+        "EnableWebhookDebugging": true,
+        "EnableDiagnostics": true,
+        "VerboseDiagnostics": false,
+        "EnableSentry": true,
+        "AdvancedLoggingJSON": {},
+        "MaxFieldSize": 2048
+    },
+    "ExperimentalAuditSettings": {
+        "FileEnabled": false,
+        "FileName": "",
+        "FileMaxSizeMB": 100,
+        "FileMaxAgeDays": 0,
+        "FileMaxBackups": 0,
+        "FileCompress": false,
+        "FileMaxQueueSize": 1000,
+        "AdvancedLoggingJSON": {}
+    },
+    "NotificationLogSettings": {
+        "EnableConsole": true,
+        "ConsoleLevel": "INFO",
+        "ConsoleJson": true,
+        "EnableColor": false,
+        "EnableFile": true,
+        "FileLevel": "INFO",
+        "FileJson": true,
+        "FileLocation": "",
+        "AdvancedLoggingJSON": {}
+    },
+    "PasswordSettings": {
+        "MinimumLength": 8,
+        "Lowercase": false,
+        "Number": false,
+        "Uppercase": false,
+        "Symbol": false,
+        "EnableForgotLink": true
+    },
+    "FileSettings": {
+        "EnableFileAttachments": true,
+        "EnableMobileUpload": true,
+        "EnableMobileDownload": true,
+        "MaxFileSize": 104857600,
+        "MaxImageResolution": 33177600,
+        "MaxImageDecoderConcurrency": -1,
+        "DriverName": "local",
+        "Directory": "./data/",
+        "EnablePublicLink": false,
+        "ExtractContent": true,
+        "ArchiveRecursion": false,
+        "PublicLinkSalt": "br5pxoytkqgpwptybafe56dhfi7du38m",
+        "InitialFont": "nunito-bold.ttf",
+        "AmazonS3AccessKeyId": "",
+        "AmazonS3SecretAccessKey": "",
+        "AmazonS3Bucket": "",
+        "AmazonS3PathPrefix": "",
+        "AmazonS3Region": "",
+        "AmazonS3Endpoint": "s3.amazonaws.com",
+        "AmazonS3SSL": true,
+        "AmazonS3SignV2": false,
+        "AmazonS3SSE": false,
+        "AmazonS3Trace": false,
+        "AmazonS3RequestTimeoutMilliseconds": 30000,
+        "AmazonS3UploadPartSizeBytes": 5242880,
+        "AmazonS3StorageClass": "",
+        "DedicatedExportStore": false,
+        "ExportDriverName": "local",
+        "ExportDirectory": "./data/",
+        "ExportAmazonS3AccessKeyId": "",
+        "ExportAmazonS3SecretAccessKey": "",
+        "ExportAmazonS3Bucket": "",
+        "ExportAmazonS3PathPrefix": "",
+        "ExportAmazonS3Region": "",
+        "ExportAmazonS3Endpoint": "s3.amazonaws.com",
+        "ExportAmazonS3SSL": true,
+        "ExportAmazonS3SignV2": false,
+        "ExportAmazonS3SSE": false,
+        "ExportAmazonS3Trace": false,
+        "ExportAmazonS3RequestTimeoutMilliseconds": 30000,
+        "ExportAmazonS3PresignExpiresSeconds": 21600,
+        "ExportAmazonS3UploadPartSizeBytes": 104857600,
+        "ExportAmazonS3StorageClass": ""
+    },
+    "EmailSettings": {
+        "EnableSignUpWithEmail": true,
+        "EnableSignInWithEmail": true,
+        "EnableSignInWithUsername": true,
+        "SendEmailNotifications": true,
+        "UseChannelInEmailNotifications": false,
+        "RequireEmailVerification": false,
+        "FeedbackName": "{{ env "ORG_NAME" }}",
+        "FeedbackEmail": "{{ env "ORG_EMAIL_ADDRESS" }}",
+        "ReplyToAddress": "{{ env "ORG_EMAIL_ADDRESS" }}",
+        "FeedbackOrganization": "",
+        "EnableSMTPAuth": true,
+        "SMTPUsername": "{{ env "SMTP_USER" }}",
+        "SMTPPassword": "{{ secret "smtp_pass" }}",
+        "SMTPServer": "{{ env "SMTP_HOST" }}",
+        "SMTPPort": "{{ env "SMTP_PORT" }}",
+        "SMTPServerTimeout": 10,
+        "ConnectionSecurity": "{{ env "SMTP_SECURITY" }}",
+        "SendPushNotifications": true,
+        "PushNotificationServer": "https://push-test.mattermost.com",
+        "PushNotificationContents": "full",
+        "PushNotificationBuffer": 1000,
+        "EnableEmailBatching": false,
+        "EmailBatchingBufferSize": 256,
+        "EmailBatchingInterval": 30,
+        "EnablePreviewModeBanner": false,
+        "SkipServerCertificateVerification": false,
+        "EmailNotificationContentsType": "full",
+        "LoginButtonColor": "#0000",
+        "LoginButtonBorderColor": "#2389D7",
+        "LoginButtonTextColor": "#2389D7"
+    },
+    "RateLimitSettings": {
+        "Enable": false,
+        "PerSec": 10,
+        "MaxBurst": 100,
+        "MemoryStoreSize": 10000,
+        "VaryByRemoteAddr": true,
+        "VaryByUser": false,
+        "VaryByHeader": ""
+    },
+    "PrivacySettings": {
+        "ShowEmailAddress": true,
+        "ShowFullName": true
+    },
+    "SupportSettings": {
+        "TermsOfServiceLink": "https://mattermost.com/pl/terms-of-use/",
+        "PrivacyPolicyLink": "https://mattermost.com/pl/privacy-policy/",
+        "AboutLink": "https://mattermost.com/pl/about-mattermost",
+        "HelpLink": "https://mattermost.com/pl/help/",
+        "ReportAProblemLink": "https://mattermost.com/pl/report-a-bug",
+        "ForgotPasswordLink": "",
+        "SupportEmail": "{{ env "ORG_EMAIL_ADDRESS" }}",
+        "CustomTermsOfServiceEnabled": false,
+        "CustomTermsOfServiceReAcceptancePeriod": 365,
+        "EnableAskCommunityLink": true
+    },
+    "AnnouncementSettings": {
+        "EnableBanner": false,
+        "BannerText": "",
+        "BannerColor": "#f2a93b",
+        "BannerTextColor": "#333333",
+        "AllowBannerDismissal": true,
+        "AdminNoticesEnabled": true,
+        "UserNoticesEnabled": true,
+        "NoticesURL": "https://notices.mattermost.com/",
+        "NoticesFetchFrequency": 3600,
+        "NoticesSkipCache": false
+    },
+    "ThemeSettings": {
+        "EnableThemeSelection": true,
+        "DefaultTheme": "default",
+        "AllowCustomThemes": true,
+        "AllowedThemes": []
+    },
+    "GitLabSettings": {
+        "Enable": true,
+        "Secret": "{{ secret "mattermost_sso_secret" }}",
+        "Id": "{{ env "SSO_ID" }}",
+        "Scope": "",
+        "AuthEndpoint": "https://{{ env "SSO_DOMAIN" }}/application/o/authorize/",
+        "TokenEndpoint": "https://{{ env "SSO_DOMAIN" }}/application/o/token/",
+        "UserAPIEndpoint": "https://{{ env "SSO_DOMAIN" }}/application/o/userinfo/",
+        "DiscoveryEndpoint": "https://{{ env "SSO_DOMAIN" }}/application/o/{{ env "SSO_APP" }}/.well-known/openid-configuration",
+        "ButtonText": "{{ env "ORG_NAME" }}",
+        "ButtonColor": "#ff0000"
+    },
+    "GoogleSettings": {
+        "Enable": false,
+        "Secret": "",
+        "Id": "",
+        "Scope": "profile email",
+        "AuthEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
+        "TokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
+        "UserAPIEndpoint": "https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses,nicknames,metadata",
+        "DiscoveryEndpoint": "",
+        "ButtonText": "",
+        "ButtonColor": ""
+    },
+    "Office365Settings": {
+        "Enable": false,
+        "Secret": "",
+        "Id": "",
+        "Scope": "User.Read",
+        "AuthEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
+        "TokenEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
+        "UserAPIEndpoint": "https://graph.microsoft.com/v1.0/me",
+        "DiscoveryEndpoint": "",
+        "DirectoryId": ""
+    },
+    "OpenIdSettings": {
+        "Enable": false,
+        "Secret": "",
+        "Id": "",
+        "Scope": "profile openid email",
+        "AuthEndpoint": "",
+        "TokenEndpoint": "",
+        "UserAPIEndpoint": "",
+        "DiscoveryEndpoint": "",
+        "ButtonText": "",
+        "ButtonColor": "#145DBF"
+    },
+    "LdapSettings": {
+        "Enable": false,
+        "EnableSync": false,
+        "LdapServer": "",
+        "LdapPort": 389,
+        "ConnectionSecurity": "",
+        "BaseDN": "",
+        "BindUsername": "",
+        "BindPassword": "",
+        "UserFilter": "",
+        "GroupFilter": "",
+        "GuestFilter": "",
+        "EnableAdminFilter": false,
+        "AdminFilter": "",
+        "GroupDisplayNameAttribute": "",
+        "GroupIdAttribute": "",
+        "FirstNameAttribute": "",
+        "LastNameAttribute": "",
+        "EmailAttribute": "",
+        "UsernameAttribute": "",
+        "NicknameAttribute": "",
+        "IdAttribute": "",
+        "PositionAttribute": "",
+        "LoginIdAttribute": "",
+        "PictureAttribute": "",
+        "SyncIntervalMinutes": 60,
+        "SkipCertificateVerification": false,
+        "PublicCertificateFile": "",
+        "PrivateKeyFile": "",
+        "QueryTimeout": 60,
+        "MaxPageSize": 0,
+        "LoginFieldName": "",
+        "LoginButtonColor": "#0000",
+        "LoginButtonBorderColor": "#2389D7",
+        "LoginButtonTextColor": "#2389D7"
+    },
+    "ComplianceSettings": {
+        "Enable": false,
+        "Directory": "./data/",
+        "EnableDaily": false,
+        "BatchSize": 30000
+    },
+    "LocalizationSettings": {
+        "DefaultServerLocale": "en",
+        "DefaultClientLocale": "en",
+        "AvailableLocales": "",
+        "EnableExperimentalLocales": false
+    },
+    "SamlSettings": {
+        "Enable": false,
+        "EnableSyncWithLdap": false,
+        "EnableSyncWithLdapIncludeAuth": false,
+        "IgnoreGuestsLdapSync": false,
+        "Verify": true,
+        "Encrypt": true,
+        "SignRequest": false,
+        "IdpURL": "",
+        "IdpDescriptorURL": "",
+        "IdpMetadataURL": "",
+        "ServiceProviderIdentifier": "",
+        "AssertionConsumerServiceURL": "",
+        "SignatureAlgorithm": "RSAwithSHA1",
+        "CanonicalAlgorithm": "Canonical1.0",
+        "ScopingIDPProviderId": "",
+        "ScopingIDPName": "",
+        "IdpCertificateFile": "",
+        "PublicCertificateFile": "",
+        "PrivateKeyFile": "",
+        "IdAttribute": "",
+        "GuestAttribute": "",
+        "EnableAdminAttribute": false,
+        "AdminAttribute": "",
+        "FirstNameAttribute": "",
+        "LastNameAttribute": "",
+        "EmailAttribute": "",
+        "UsernameAttribute": "",
+        "NicknameAttribute": "",
+        "LocaleAttribute": "",
+        "PositionAttribute": "",
+        "LoginButtonText": "SAML",
+        "LoginButtonColor": "#34a28b",
+        "LoginButtonBorderColor": "#2389D7",
+        "LoginButtonTextColor": "#ffffff"
+    },
+    "NativeAppSettings": {
+        "AppCustomURLSchemes": [
+            "mmauth://",
+            "mmauthbeta://"
+        ],
+        "AppDownloadLink": "https://mattermost.com/pl/download-apps",
+        "AndroidAppDownloadLink": "https://mattermost.com/pl/android-app/",
+        "IosAppDownloadLink": "https://mattermost.com/pl/ios-app/",
+        "MobileExternalBrowser": false
+    },
+    "CacheSettings": {
+        "CacheType": "lru",
+        "RedisAddress": "",
+        "RedisPassword": "********************************",
+        "RedisDB": -1,
+        "DisableClientCache": false
+    },
+    "ClusterSettings": {
+        "Enable": false,
+        "ClusterName": "",
+        "OverrideHostname": "",
+        "NetworkInterface": "",
+        "BindAddress": "",
+        "AdvertiseAddress": "",
+        "UseIPAddress": true,
+        "EnableGossipCompression": true,
+        "EnableExperimentalGossipEncryption": false,
+        "ReadOnlyConfig": true,
+        "GossipPort": 8074
+    },
+    "MetricsSettings": {
+        "Enable": false,
+        "BlockProfileRate": 0,
+        "ListenAddress": ":8067",
+        "EnableClientMetrics": true,
+        "EnableNotificationMetrics": true
+    },
+    "ExperimentalSettings": {
+        "ClientSideCertEnable": false,
+        "ClientSideCertCheck": "secondary",
+        "LinkMetadataTimeoutMilliseconds": 5000,
+        "RestrictSystemAdmin": false,
+        "EnableSharedChannels": false,
+        "EnableRemoteClusterService": false,
+        "DisableAppBar": false,
+        "DisableRefetchingOnBrowserFocus": false,
+        "DelayChannelAutocomplete": false,
+        "DisableWakeUpReconnectHandler": false,
+        "UsersStatusAndProfileFetchingPollIntervalMilliseconds": 3000,
+        "YoutubeReferrerPolicy": false
+    },
+    "AnalyticsSettings": {
+        "MaxUsersForStatistics": 2500
+    },
+    "ElasticsearchSettings": {
+        "ConnectionURL": "http://localhost:9200",
+        "Backend": "elasticsearch",
+        "Username": "elastic",
+        "Password": "changeme",
+        "EnableIndexing": false,
+        "EnableSearching": false,
+        "EnableAutocomplete": false,
+        "Sniff": true,
+        "PostIndexReplicas": 1,
+        "PostIndexShards": 1,
+        "ChannelIndexReplicas": 1,
+        "ChannelIndexShards": 1,
+        "UserIndexReplicas": 1,
+        "UserIndexShards": 1,
+        "AggregatePostsAfterDays": 365,
+        "PostsAggregatorJobStartTime": "03:00",
+        "IndexPrefix": "",
+        "LiveIndexingBatchSize": 1,
+        "BatchSize": 10000,
+        "RequestTimeoutSeconds": 30,
+        "SkipTLSVerification": false,
+        "CA": "",
+        "ClientCert": "",
+        "ClientKey": "",
+        "Trace": "",
+        "IgnoredPurgeIndexes": ""
+    },
+    "BleveSettings": {
+        "IndexDir": "",
+        "EnableIndexing": false,
+        "EnableSearching": false,
+        "EnableAutocomplete": false,
+        "BatchSize": 10000
+    },
+    "DataRetentionSettings": {
+        "EnableMessageDeletion": false,
+        "EnableFileDeletion": false,
+        "EnableBoardsDeletion": false,
+        "MessageRetentionDays": 365,
+        "MessageRetentionHours": 0,
+        "FileRetentionDays": 365,
+        "FileRetentionHours": 0,
+        "BoardsRetentionDays": 365,
+        "DeletionJobStartTime": "02:00",
+        "BatchSize": 3000,
+        "TimeBetweenBatchesMilliseconds": 100,
+        "RetentionIdsBatchSize": 100
+    },
+    "MessageExportSettings": {
+        "EnableExport": false,
+        "ExportFormat": "actiance",
+        "DailyRunTime": "01:00",
+        "ExportFromTimestamp": 0,
+        "BatchSize": 10000,
+        "DownloadExportResults": false,
+        "ChannelBatchSize": 100,
+        "ChannelHistoryBatchSize": 10,
+        "GlobalRelaySettings": {
+            "CustomerType": "A9",
+            "SMTPUsername": "",
+            "SMTPPassword": "",
+            "EmailAddress": "",
+            "SMTPServerTimeout": 1800,
+            "CustomSMTPServerName": "",
+            "CustomSMTPPort": "25"
+        }
+    },
+    "JobSettings": {
+        "RunJobs": true,
+        "RunScheduler": true,
+        "CleanupJobsThresholdDays": -1,
+        "CleanupConfigThresholdDays": -1
+    },
+    "PluginSettings": {
+        "Enable": true,
+        "EnableUploads": false,
+        "AllowInsecureDownloadURL": false,
+        "EnableHealthCheck": true,
+        "Directory": "./plugins",
+        "ClientDirectory": "./client/plugins",
+        "Plugins": {
+            "mattermost-ai": {
+                "config": {
+                    "allowPrivateChannels": false,
+                    "allowedTeamIDs": "",
+                    "bots": null,
+                    "defaultBotName": "",
+                    "enableLLMTrace": false,
+                    "enableUserRestrictions": false,
+                    "onlyUsersOnTeam": "",
+                    "services": null,
+                    "transcriptBackend": ""
+                }
+            },
+            "playbooks": {
+                "BotUserID": "d1a1xx1r7jyt8ca8mg1iqpgd3h"
+            }
+        },
+        "PluginStates": {
+            "com.mattermost.calls": {
+                "Enable": true
+            },
+            "com.mattermost.nps": {
+                "Enable": true
+            },
+            "mattermost-ai": {
+                "Enable": true
+            },
+            "playbooks": {
+                "Enable": true
+            }
+        },
+        "EnableMarketplace": true,
+        "EnableRemoteMarketplace": true,
+        "AutomaticPrepackagedPlugins": true,
+        "RequirePluginSignature": false,
+        "MarketplaceURL": "https://api.integrations.mattermost.com",
+        "SignaturePublicKeyFiles": [],
+        "ChimeraOAuthProxyURL": ""
+    },
+    "DisplaySettings": {
+        "CustomURLSchemes": [],
+        "MaxMarkdownNodes": 0
+    },
+    "GuestAccountsSettings": {
+        "Enable": false,
+        "HideTags": false,
+        "AllowEmailAccounts": true,
+        "EnforceMultifactorAuthentication": false,
+        "RestrictCreationToDomains": ""
+    },
+    "ImageProxySettings": {
+        "Enable": false,
+        "ImageProxyType": "local",
+        "RemoteImageProxyURL": "",
+        "RemoteImageProxyOptions": ""
+    },
+    "CloudSettings": {
+        "CWSURL": "https://customers.mattermost.com",
+        "CWSAPIURL": "https://api.internal.test.cloud.mattermost.com",
+        "CWSMock": false,
+        "Disable": false
+    },
+    "ImportSettings": {
+        "Directory": "./import",
+        "RetentionDays": 30
+    },
+    "ExportSettings": {
+        "Directory": "./export",
+        "RetentionDays": 30
+    },
+    "WranglerSettings": {
+        "PermittedWranglerRoles": [],
+        "AllowedEmailDomain": [],
+        "MoveThreadMaxCount": 100,
+        "MoveThreadToAnotherTeamEnable": false,
+        "MoveThreadFromPrivateChannelEnable": false,
+        "MoveThreadFromDirectMessageChannelEnable": false,
+        "MoveThreadFromGroupMessageChannelEnable": false
+    },
+    "ConnectedWorkspacesSettings": {
+        "EnableSharedChannels": false,
+        "EnableRemoteClusterService": false,
+        "DisableSharedChannelsStatusSync": false,
+        "MaxPostsPerSync": 50
+    },
+    "CoopCloudManaged": {        
+    }
+}

entrypoint.sh

@@ -15,5 +15,11 @@ else
     exit 1
 fi
 
+# If the default Mattermost config hasn't already been replaced
+# by the templated config this recipe generates, replace it
+if ! test -f "/mattermost/config/CoopCloudManaged"; then
+    cp /config-to-copy.json /mattermost/config/config.json && touch /mattermost/config/CoopCloudManaged
+fi
+
 # https://github.com/mattermost/mattermost-server/blob/master/build/Dockerfile
-/entrypoint.sh "mattermost"
+/entrypoint.sh "mattermost"

gitlab_config_patch.json.tmpl

@@ -0,0 +1,12 @@
+{
+  "Enable": true,
+  "Secret": "${MATTERMOST_SSO_SECRET}",
+  "Id": "${SSO_ID}",
+  "Scope": "",
+  "AuthEndpoint": "https://${SSO_DOMAIN}/application/o/authorize/",
+  "TokenEndpoint": "https://${SSO_DOMAIN}/application/o/token/",
+  "UserAPIEndpoint": "https://${SSO_DOMAIN}/application/o/userinfo/",
+  "DiscoveryEndpoint": "https://${SSO_DOMAIN}/application/o/${SSO_APP}/.well-known/openid-configuration",
+  "ButtonText": "${ORG_NAME}",
+  "ButtonColor": "#ff0000"
+}

release/0.1.0+7.0.txt

@@ -0,0 +1,6 @@
+This should be a fairly stable update. The only strange behaviour we've noticed so far has been:
+
+- When clicking on 'Channels' to change to 'Boards' or 'Playbooks', your window may flicker and just reload 'Channels'. Click 'Boards' or 'Playbooks' again and it should behave as expected.
+- When clicking on private messages, you may get an error telling you that you don't have permission to view these.
+
+To fix both of these errors, logout of your server in your Mattermost client, delete the server (if you are using an app), and then re-add it. We haven't noticed any issues after doing this.

release/1.4.1+9.5.11

@@ -0,0 +1 @@
+hotfix: rollback to last functional version