diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..f5f2021 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,56 @@ +--- +kind: pipeline +name: deploy to swarm-test.autonomic.zone +steps: + - name: deployment + image: decentral1se/stack-ssh-deploy:latest + settings: + host: swarm-test.autonomic.zone + stack: mattermost + purge: true + deploy_key: + from_secret: drone_ssh_swarm_test + environment: + DOMAIN: mattermost.swarm-test.autonomic.zone + LETS_ENCRYPT_ENV: production + + - name: notify coopcloud-dev on failure + image: plugins/matrix + settings: + homeserver: https://matrix.autonomic.zone + roomid: "IFazIpLtxiScqbHqoa:autonomic.zone" + userid: "@autono-bot:autonomic.zone" + accesstoken: + from_secret: autono_bot_access_token + depends_on: + - deployment + when: + status: + - failure +trigger: + branch: + - main + +--- +kind: pipeline +name: recipe release +steps: + - name: release a new version + image: decentral1se/drone-abra:latest + settings: + command: recipe mattermost release + deploy_key: + from_secret: abra_bot_deploy_key + + - name: trigger downstream builds + image: plugins/downstream + settings: + server: https://drone.autonomic.zone + token: + from_secret: decentral1se_token + fork: true + repositories: + - coop-cloud/auto-apps-json + depends_on: + - release a new version +on diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..f2a58a5 --- /dev/null +++ b/.env.example @@ -0,0 +1,81 @@ +# Domain of service +DOMAIN=mm.example.com + +# Container settings +## Timezone inside the containers. The value needs to be in the form 'Europe/Berlin'. +## A list of these tz database names can be looked up at Wikipedia +## https://en.wikipedia.org/wiki/List_of_tz_database_time_zones +TZ=UTC +RESTART_POLICY=unless-stopped + +# Postgres settings +## Documentation for this image and available settings can be found on hub.docker.com +## https://hub.docker.com/_/postgres +## Please keep in mind this will create a superuser and it's recommended to use a less privileged +## user to connect to the database. +## A guide on how to change the database user to a nonsuperuser can be found in docs/creation-of-nonsuperuser.md +POSTGRES_IMAGE_TAG=13-alpine +POSTGRES_DATA_PATH=./volumes/db/var/lib/postgresql/data + +POSTGRES_USER=mmuser +POSTGRES_PASSWORD=mmuser_password +POSTGRES_DB=mattermost + +# Nginx +## The nginx container will use a configuration found at the NGINX_MATTERMOST_CONFIG. The config aims +## to be secure and uses a catch-all server vhost which will work out-of-the-box. For additional settings +## or changes ones can edit it or provide another config. Important note: inside the container, nginx sources +## every config file inside */etc/nginx/conf.d* ending with a *.conf* file extension. + +## Inside the container the uid and gid is 101. The folder owner can be set with +## `sudo chown -R 101:101 ./nginx` if needed. +NGINX_IMAGE_TAG=alpine + +## The folder containing server blocks and any additional config to nginx.conf +NGINX_CONFIG_PATH=./nginx/conf.d +NGINX_DHPARAMS_FILE=./nginx/dhparams4096.pem + +CERT_PATH=./volumes/web/cert/cert.pem +KEY_PATH=./volumes/web/cert/key-no-password.pem +#GITLAB_PKI_CHAIN_PATH=/pki_chain.pem +#CERT_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/fullchain.pem +#KEY_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/privkey.pem + +## Exposed ports to the host. Inside the container 80 and 443 will be used +HTTPS_PORT=443 +HTTP_PORT=80 + +# Mattermost settings +## Inside the container the uid and gid is 2000. The folder owner can be set with +## `sudo chown -R 2000:2000 ./volumes/app/mattermost`. +MATTERMOST_CONFIG_PATH=./volumes/app/mattermost/config +MATTERMOST_DATA_PATH=./volumes/app/mattermost/data +MATTERMOST_LOGS_PATH=./volumes/app/mattermost/logs +MATTERMOST_PLUGINS_PATH=./volumes/app/mattermost/plugins +MATTERMOST_CLIENT_PLUGINS_PATH=./volumes/app/mattermost/client/plugins + +## This will be 'mattermost-enterprise-edition' or 'mattermost-team-edition' based on the version of Mattermost you're installing. +MATTERMOST_IMAGE=mattermost-enterprise-edition +MATTERMOST_IMAGE_TAG=5.39 + +## Make Mattermost container readonly. This interferes with the regeneration of root.html inside the container. Only use +## it if you know what you're doing. +## See https://github.com/mattermost/docker/issues/18 +MATTERMOST_CONTAINER_READONLY=false + +## The app port is only relevant for using Mattermost without the nginx container as reverse proxy. This is not meant +## to be used with the internal HTTP server exposed but rather in case one wants to host several services on one host +## or for using it behind another existing reverse proxy. +APP_PORT=8065 + +## Configuration settings for Mattermost. Documentation on the variables and the settings itself can be found at +## https://docs.mattermost.com/administration/config-settings.html +## Keep in mind that variables set here will take precedence over the same setting in config.json. This includes +## the system console as well and settings set with env variables will be greyed out. + +## Below one can find necessary settings to spin up the Mattermost container +MM_SQLSETTINGS_DRIVERNAME=postgres +MM_SQLSETTINGS_DATASOURCE=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable&connect_timeout=10 + +## Example settings (any additional setting added here also needs to be introduced in the docker-compose.yml) +MM_SERVICESETTINGS_SITEURL=https://${DOMAIN} diff --git a/.env.sample b/.env.sample new file mode 100644 index 0000000..537663b --- /dev/null +++ b/.env.sample @@ -0,0 +1,8 @@ +TYPE=mattermost + +DOMAIN=mattermost.example.com + +## Domain aliases +#EXTRA_DOMAINS=', `www.mattermost.example.com`' +LETS_ENCRYPT_ENV=production +on diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a2f5e96 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +.envrc +.env +reference +deploy.sh +run.sh +.idea diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..8d5cecf --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,78 @@ +version: "3.8" + +services: + postgres: + image: postgres:${POSTGRES_IMAGE_TAG} + restart: ${RESTART_POLICY} + security_opt: + - no-new-privileges:true + tmpfs: + - /tmp + - /var/run/postgresql + volumes: + - postgres_data:/var/lib/postgresql/data + environment: + # timezone inside container + - TZ + + # necessary Postgres options/variables + - POSTGRES_USER + - POSTGRES_PASSWORD + - POSTGRES_DB + networks: + - internal + + mattermost: + image: mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG} + restart: ${RESTART_POLICY} + security_opt: + - no-new-privileges:true + read_only: ${MATTERMOST_CONTAINER_READONLY} + tmpfs: + - /tmp + volumes: + - mattermost_config:/mattermost/config:rw + - mattermost_data:/mattermost/data:rw + - mattermost_logs:/mattermost/logs:rw + - mattermost_plugins:/mattermost/plugins:rw + - mattermost_client_plugins:/mattermost/client/plugins:rw + environment: + # timezone inside container + - TZ + + # necessary Mattermost options/variables (see env.example) + - MM_SQLSETTINGS_DRIVERNAME + - MM_SQLSETTINGS_DATASOURCE + + # additional settings + - MM_SERVICESETTINGS_SITEURL + ports: + - ${APP_PORT}:8065 + networks: + - proxy + - internal + deploy: + labels: + - "traefik.enable=true" + - "traefik.docker.network=proxy" + - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" + - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})" + - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" + - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" + - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" + - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" + - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" + +networks: + proxy: + external: true + internal: + +volumes: + postgres_data: + mattermost_config: + mattermost_data: + mattermost_logs: + mattermost_plugins: + mattermost_client_plugins: +