recipe-maintainers/mattermost-lts
0
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Working on secrets

Browse Source
This commit is contained in:
notplants
2021-11-30 12:31:04 +01:00
parent 283f567b80
commit d0d3b91aaa
4 changed files with 70 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
.env.example
View File

@ -1,81 +0,0 @@
# Domain of service
DOMAIN=mm.example.com
# Container settings
## Timezone inside the containers. The value needs to be in the form 'Europe/Berlin'.
## A list of these tz database names can be looked up at Wikipedia
## https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
TZ=UTC
RESTART_POLICY=unless-stopped
# Postgres settings
## Documentation for this image and available settings can be found on hub.docker.com
## https://hub.docker.com/_/postgres
## Please keep in mind this will create a superuser and it's recommended to use a less privileged
## user to connect to the database.
## A guide on how to change the database user to a nonsuperuser can be found in docs/creation-of-nonsuperuser.md
POSTGRES_IMAGE_TAG=13-alpine
POSTGRES_DATA_PATH=./volumes/db/var/lib/postgresql/data
POSTGRES_USER=mmuser
POSTGRES_PASSWORD=mmuser_password
POSTGRES_DB=mattermost
# Nginx
## The nginx container will use a configuration found at the NGINX_MATTERMOST_CONFIG. The config aims
## to be secure and uses a catch-all server vhost which will work out-of-the-box. For additional settings
## or changes ones can edit it or provide another config. Important note: inside the container, nginx sources
## every config file inside */etc/nginx/conf.d* ending with a *.conf* file extension.
## Inside the container the uid and gid is 101. The folder owner can be set with
## `sudo chown -R 101:101 ./nginx` if needed.
NGINX_IMAGE_TAG=alpine
## The folder containing server blocks and any additional config to nginx.conf
NGINX_CONFIG_PATH=./nginx/conf.d
NGINX_DHPARAMS_FILE=./nginx/dhparams4096.pem
CERT_PATH=./volumes/web/cert/cert.pem
KEY_PATH=./volumes/web/cert/key-no-password.pem
#GITLAB_PKI_CHAIN_PATH=<path_to_your_gitlab_pki>/pki_chain.pem
#CERT_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/fullchain.pem
#KEY_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/privkey.pem
## Exposed ports to the host. Inside the container 80 and 443 will be used
HTTPS_PORT=443
HTTP_PORT=80
# Mattermost settings
## Inside the container the uid and gid is 2000. The folder owner can be set with
## `sudo chown -R 2000:2000 ./volumes/app/mattermost`.
MATTERMOST_CONFIG_PATH=./volumes/app/mattermost/config
MATTERMOST_DATA_PATH=./volumes/app/mattermost/data
MATTERMOST_LOGS_PATH=./volumes/app/mattermost/logs
MATTERMOST_PLUGINS_PATH=./volumes/app/mattermost/plugins
MATTERMOST_CLIENT_PLUGINS_PATH=./volumes/app/mattermost/client/plugins
## This will be 'mattermost-enterprise-edition' or 'mattermost-team-edition' based on the version of Mattermost you're installing.
MATTERMOST_IMAGE=mattermost-enterprise-edition
MATTERMOST_IMAGE_TAG=5.39
## Make Mattermost container readonly. This interferes with the regeneration of root.html inside the container. Only use
## it if you know what you're doing.
## See https://github.com/mattermost/docker/issues/18
MATTERMOST_CONTAINER_READONLY=false
## The app port is only relevant for using Mattermost without the nginx container as reverse proxy. This is not meant
## to be used with the internal HTTP server exposed but rather in case one wants to host several services on one host
## or for using it behind another existing reverse proxy.
APP_PORT=8065
## Configuration settings for Mattermost. Documentation on the variables and the settings itself can be found at
## https://docs.mattermost.com/administration/config-settings.html
## Keep in mind that variables set here will take precedence over the same setting in config.json. This includes
## the system console as well and settings set with env variables will be greyed out.
## Below one can find necessary settings to spin up the Mattermost container
MM_SQLSETTINGS_DRIVERNAME=postgres
MM_SQLSETTINGS_DATASOURCE=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable&connect_timeout=10
## Example settings (any additional setting added here also needs to be introduced in the docker-compose.yml)
MM_SERVICESETTINGS_SITEURL=https://${DOMAIN}

28
.env.sample
View File

@ -1,8 +1,26 @@
TYPE=mattermost # Domain of service
DOMAIN=mattermost.example.com DOMAIN=mattermost.example.com
## Domain aliases
#EXTRA_DOMAINS=', `www.mattermost.example.com`'
LETS_ENCRYPT_ENV=production LETS_ENCRYPT_ENV=production
on
# SECRET VERSIONS
SECRET_POSTGRES_PASSWORD_VERSION=v1
# Container settings
## Timezone inside the containers. The value needs to be in the form 'Europe/Berlin'.
## A list of these tz database names can be looked up at Wikipedia
## https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
TZ=UTC
RESTART_POLICY=unless-stopped
## Make Mattermost container readonly. This interferes with the regeneration of root.html inside the container. Only use
## it if you know what you're doing.
## See https://github.com/mattermost/docker/issues/18
MATTERMOST_CONTAINER_READONLY=false
## Configuration settings for Mattermost. Documentation on the variables and the settings itself can be found at
## https://docs.mattermost.com/administration/config-settings.html
## Keep in mind that variables set here will take precedence over the same setting in config.json. This includes
## the system console as well and settings set with env variables will be greyed out.

19
abra-mattermost-entrypoint.sh Normal file
View File

@ -0,0 +1,19 @@
#!/bin/sh
set -e
if test -f "/run/secrets/postgres_password"; then
pwd=`cat /run/secrets/postgres_password`
if [ -z $pwd ]; then
echo >&2 "error: /run/secrets/postgres_password is empty"
exit 1
fi
echo "abra-mattermost-entrypoint.sh setting POSTGRES_PASSWORD"
export "POSTGRES_PASSWORD"="$pwd"
export "MM_SQLSETTINGS_DATASOURCE"="postgres://mattermost:${pwd}@postgres:5432/mattermost?sslmode=disable&connect_timeout=10"
unset "pwd"
else
echo >&2 "error: /run/secrets/postgres_password does not exist"
exit 1
fi
# https://github.com/mattermost/mattermost-server/blob/master/build/Dockerfile
/entrypoint.sh "mattermost"

39
docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.8"
services: services:
postgres: postgres:
image: postgres:${POSTGRES_IMAGE_TAG} image: postgres:13-alpine
restart: ${RESTART_POLICY} restart: ${RESTART_POLICY}
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
@ -16,14 +16,14 @@ services:
- TZ - TZ
# necessary Postgres options/variables # necessary Postgres options/variables
- POSTGRES_USER - POSTGRES_USER=mattermost
- POSTGRES_PASSWORD - POSTGRES_PASSWORD=/run/secrets/postgres_password
- POSTGRES_DB - POSTGRES_DB=mattermost
networks: networks:
- internal - internal
mattermost: mattermost:
image: mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG} image: mattermost/mattermost-team-edition:5.39
restart: ${RESTART_POLICY} restart: ${RESTART_POLICY}
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
@ -40,14 +40,14 @@ services:
# timezone inside container # timezone inside container
- TZ - TZ
# necessary Mattermost options/variables (see env.example) # necessary Mattermost options/variables (see env.sample)
- MM_SQLSETTINGS_DRIVERNAME - MM_SQLSETTINGS_DRIVERNAME=postgres
- MM_SQLSETTINGS_DATASOURCE # - MM_SQLSETTINGS_DATASOURCE=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable&connect_timeout=10
# additional settings # additional settings
- MM_SERVICESETTINGS_SITEURL - MM_SERVICESETTINGS_SITEURL=https://${DOMAIN}
ports: ports:
- ${APP_PORT}:8065 - 8065:8065
networks: networks:
- proxy - proxy
- internal - internal
@ -55,13 +55,30 @@ services:
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.docker.network=proxy" - "traefik.docker.network=proxy"
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=${APP_PORT}" - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8065"
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})" - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
configs:
- source: abra_mattermost_entrypoint
target: /abra-mattermost-entrypoint.sh
mode: 0555
secrets:
- postgres_password
entrypoint: /abra-mattermost-entrypoint.sh
secrets:
postgres_password:
external: true
name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION}
configs:
abra_mattermost_entrypoint:
name: abra_mattermost_entrypoint
file: ./abra-mattermost-entrypoint.sh
networks: networks:
proxy: proxy: