diff --git a/.env.example b/.env.example deleted file mode 100644 index f2a58a5..0000000 --- a/.env.example +++ /dev/null @@ -1,81 +0,0 @@ -# Domain of service -DOMAIN=mm.example.com - -# Container settings -## Timezone inside the containers. The value needs to be in the form 'Europe/Berlin'. -## A list of these tz database names can be looked up at Wikipedia -## https://en.wikipedia.org/wiki/List_of_tz_database_time_zones -TZ=UTC -RESTART_POLICY=unless-stopped - -# Postgres settings -## Documentation for this image and available settings can be found on hub.docker.com -## https://hub.docker.com/_/postgres -## Please keep in mind this will create a superuser and it's recommended to use a less privileged -## user to connect to the database. -## A guide on how to change the database user to a nonsuperuser can be found in docs/creation-of-nonsuperuser.md -POSTGRES_IMAGE_TAG=13-alpine -POSTGRES_DATA_PATH=./volumes/db/var/lib/postgresql/data - -POSTGRES_USER=mmuser -POSTGRES_PASSWORD=mmuser_password -POSTGRES_DB=mattermost - -# Nginx -## The nginx container will use a configuration found at the NGINX_MATTERMOST_CONFIG. The config aims -## to be secure and uses a catch-all server vhost which will work out-of-the-box. For additional settings -## or changes ones can edit it or provide another config. Important note: inside the container, nginx sources -## every config file inside */etc/nginx/conf.d* ending with a *.conf* file extension. - -## Inside the container the uid and gid is 101. The folder owner can be set with -## `sudo chown -R 101:101 ./nginx` if needed. -NGINX_IMAGE_TAG=alpine - -## The folder containing server blocks and any additional config to nginx.conf -NGINX_CONFIG_PATH=./nginx/conf.d -NGINX_DHPARAMS_FILE=./nginx/dhparams4096.pem - -CERT_PATH=./volumes/web/cert/cert.pem -KEY_PATH=./volumes/web/cert/key-no-password.pem -#GITLAB_PKI_CHAIN_PATH=/pki_chain.pem -#CERT_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/fullchain.pem -#KEY_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/privkey.pem - -## Exposed ports to the host. Inside the container 80 and 443 will be used -HTTPS_PORT=443 -HTTP_PORT=80 - -# Mattermost settings -## Inside the container the uid and gid is 2000. The folder owner can be set with -## `sudo chown -R 2000:2000 ./volumes/app/mattermost`. -MATTERMOST_CONFIG_PATH=./volumes/app/mattermost/config -MATTERMOST_DATA_PATH=./volumes/app/mattermost/data -MATTERMOST_LOGS_PATH=./volumes/app/mattermost/logs -MATTERMOST_PLUGINS_PATH=./volumes/app/mattermost/plugins -MATTERMOST_CLIENT_PLUGINS_PATH=./volumes/app/mattermost/client/plugins - -## This will be 'mattermost-enterprise-edition' or 'mattermost-team-edition' based on the version of Mattermost you're installing. -MATTERMOST_IMAGE=mattermost-enterprise-edition -MATTERMOST_IMAGE_TAG=5.39 - -## Make Mattermost container readonly. This interferes with the regeneration of root.html inside the container. Only use -## it if you know what you're doing. -## See https://github.com/mattermost/docker/issues/18 -MATTERMOST_CONTAINER_READONLY=false - -## The app port is only relevant for using Mattermost without the nginx container as reverse proxy. This is not meant -## to be used with the internal HTTP server exposed but rather in case one wants to host several services on one host -## or for using it behind another existing reverse proxy. -APP_PORT=8065 - -## Configuration settings for Mattermost. Documentation on the variables and the settings itself can be found at -## https://docs.mattermost.com/administration/config-settings.html -## Keep in mind that variables set here will take precedence over the same setting in config.json. This includes -## the system console as well and settings set with env variables will be greyed out. - -## Below one can find necessary settings to spin up the Mattermost container -MM_SQLSETTINGS_DRIVERNAME=postgres -MM_SQLSETTINGS_DATASOURCE=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable&connect_timeout=10 - -## Example settings (any additional setting added here also needs to be introduced in the docker-compose.yml) -MM_SERVICESETTINGS_SITEURL=https://${DOMAIN} diff --git a/.env.sample b/.env.sample index 537663b..9219b19 100644 --- a/.env.sample +++ b/.env.sample @@ -1,8 +1,26 @@ -TYPE=mattermost - +# Domain of service DOMAIN=mattermost.example.com -## Domain aliases -#EXTRA_DOMAINS=', `www.mattermost.example.com`' LETS_ENCRYPT_ENV=production -on + +# SECRET VERSIONS +SECRET_POSTGRES_PASSWORD_VERSION=v1 + +# Container settings +## Timezone inside the containers. The value needs to be in the form 'Europe/Berlin'. +## A list of these tz database names can be looked up at Wikipedia +## https://en.wikipedia.org/wiki/List_of_tz_database_time_zones +TZ=UTC +RESTART_POLICY=unless-stopped + +## Make Mattermost container readonly. This interferes with the regeneration of root.html inside the container. Only use +## it if you know what you're doing. +## See https://github.com/mattermost/docker/issues/18 +MATTERMOST_CONTAINER_READONLY=false + +## Configuration settings for Mattermost. Documentation on the variables and the settings itself can be found at +## https://docs.mattermost.com/administration/config-settings.html +## Keep in mind that variables set here will take precedence over the same setting in config.json. This includes +## the system console as well and settings set with env variables will be greyed out. + + diff --git a/abra-mattermost-entrypoint.sh b/abra-mattermost-entrypoint.sh new file mode 100644 index 0000000..e9d7da3 --- /dev/null +++ b/abra-mattermost-entrypoint.sh @@ -0,0 +1,19 @@ +#!/bin/sh +set -e +if test -f "/run/secrets/postgres_password"; then + pwd=`cat /run/secrets/postgres_password` + if [ -z $pwd ]; then + echo >&2 "error: /run/secrets/postgres_password is empty" + exit 1 + fi + echo "abra-mattermost-entrypoint.sh setting POSTGRES_PASSWORD" + export "POSTGRES_PASSWORD"="$pwd" + export "MM_SQLSETTINGS_DATASOURCE"="postgres://mattermost:${pwd}@postgres:5432/mattermost?sslmode=disable&connect_timeout=10" + unset "pwd" +else + echo >&2 "error: /run/secrets/postgres_password does not exist" + exit 1 +fi + +# https://github.com/mattermost/mattermost-server/blob/master/build/Dockerfile +/entrypoint.sh "mattermost" diff --git a/docker-compose.yml b/docker-compose.yml index 5540f44..517d39b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.8" services: postgres: - image: postgres:${POSTGRES_IMAGE_TAG} + image: postgres:13-alpine restart: ${RESTART_POLICY} security_opt: - no-new-privileges:true @@ -16,14 +16,14 @@ services: - TZ # necessary Postgres options/variables - - POSTGRES_USER - - POSTGRES_PASSWORD - - POSTGRES_DB + - POSTGRES_USER=mattermost + - POSTGRES_PASSWORD=/run/secrets/postgres_password + - POSTGRES_DB=mattermost networks: - internal mattermost: - image: mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG} + image: mattermost/mattermost-team-edition:5.39 restart: ${RESTART_POLICY} security_opt: - no-new-privileges:true @@ -40,14 +40,14 @@ services: # timezone inside container - TZ - # necessary Mattermost options/variables (see env.example) - - MM_SQLSETTINGS_DRIVERNAME - - MM_SQLSETTINGS_DATASOURCE + # necessary Mattermost options/variables (see env.sample) + - MM_SQLSETTINGS_DRIVERNAME=postgres +# - MM_SQLSETTINGS_DATASOURCE=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable&connect_timeout=10 # additional settings - - MM_SERVICESETTINGS_SITEURL + - MM_SERVICESETTINGS_SITEURL=https://${DOMAIN} ports: - - ${APP_PORT}:8065 + - 8065:8065 networks: - proxy - internal @@ -55,13 +55,30 @@ services: labels: - "traefik.enable=true" - "traefik.docker.network=proxy" - - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=${APP_PORT}" + - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8065" - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" + configs: + - source: abra_mattermost_entrypoint + target: /abra-mattermost-entrypoint.sh + mode: 0555 + secrets: + - postgres_password + entrypoint: /abra-mattermost-entrypoint.sh + +secrets: + postgres_password: + external: true + name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION} + +configs: + abra_mattermost_entrypoint: + name: abra_mattermost_entrypoint + file: ./abra-mattermost-entrypoint.sh networks: proxy: