From eaf15ccc9476816ddea92b648ba6d6f5bce857d3 Mon Sep 17 00:00:00 2001 From: Marco Kundt Date: Thu, 25 Feb 2021 16:51:58 +0100 Subject: [PATCH] initial commit --- .gitignore | 3 + docker-compose.yml | 58 +++++++++++++++++++ env.example | 48 ++++++++++++++++ nginx/mattermost.conf | 131 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 240 insertions(+) create mode 100644 .gitignore create mode 100644 docker-compose.yml create mode 100644 env.example create mode 100644 nginx/mattermost.conf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..edd4c34 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +data +certs +.env diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..c549128 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,58 @@ +version: "3" + +services: + postgres: + container_name: postgres_mattermost + image: postgres:alpine + restart: unless-stopped + volumes: + - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data + - /etc/localtime:/etc/localtime:ro + environment: + - POSTGRES_USER + - POSTGRES_PASSWORD + - POSTGRES_DB + + nginx: + container_name: nginx_mattermost + image: nginx:alpine + restart: unless-stopped + volumes: + - ${NGINX_MATTERMOST_CONFIG}:/etc/nginx/conf.d/mattermost.conf:ro + - ${LETSENCRYPT_FULLCHAIN_PATH}:/fullchain.pem:ro + - ${LETSENCRYPT_PRIVKEY_PATH}:/privkey.pem:ro + - /etc/localtime:/etc/localtime:ro + ports: + - ${HTTPS_PORT}:443 + - ${HTTP_PORT}:80 + + mattermost: + depends_on: + - postgres + - nginx + container_name: mattermost + image: mattermost/mattermost-enterprise-edition:latest + restart: unless-stopped + volumes: + - ${MATTERMOST_CONFIG_PATH}/config:/mattermost/config:rw + - ${MATTERMOST_DATA_PATH}/data:/mattermost/data:rw + - ${MATTERMOST_LOGS_PATH}/logs:/mattermost/logs:rw + - ${MATTERMOST_PLUGINS_PATH}/plugins:/mattermost/plugins:rw + - ${MATTERMOST_CLIENT_PLUGINS_PATH}/client-plugins:/mattermost/client-plugins:rw + - /etc/localtime:/etc/localtime:ro + environment: + - MM_SERVICESETTINGS_SITEURL + - MM_LOGSETTINGS_CONSOLELEVEL + - MM_LOGSETTINGS_FILELEVEL + - MM_SQLSETTINGS_DRIVERNAME + - MM_SQLSETTINGS_DATASOURCE + - MM_PASSWORDSETTINGS_MINIMUMLENGTH + - MM_PASSWORDSETTINGS_SYMBOL + - MM_PASSWORDSETTINGS_UPPERCASE + +# watchtower: +# container_name: watchtower +# image: containrrr/watchtower:latest +# restart: unless-stopped +# volumes: +# - /var/run/docker.sock:/var/run/docker.sock diff --git a/env.example b/env.example new file mode 100644 index 0000000..4f2e694 --- /dev/null +++ b/env.example @@ -0,0 +1,48 @@ +# Postrges settings +## Documentation for this image and available settings can be found on hub.docker.com +## https://hub.docker.com/_/postgres +POSTGRES_USER=mmuser +POSTGRES_PASSWORD=mmuser_password +POSTGRES_DB=mattermost +POSTGRES_DATA_PATH=./data/postgres # relative paths will work but absolute are preferable + +# Nginx +## The nginx container will use a configuration found at the NGINX_MATTERMOST_CONFIG. The config aims +## to be secure and uses a catch-all server vhost which will work out-of-the-box. For additional settings +## or changes ones can edit it or provide another config. Important note: inside the container nginx sources +## every config file inside */etc/nginx/conf.d* ending with a *.conf*. + +## Inside the container the uid and gid is 101. The folder owner can be set with +## `sudo chown -R 101:101 ./data/mattermost`. +NGINX_MATTERMOST_CONFIG=./nginx/mattermost.conf +LETSENCRYPT_FULLCHAIN_PATH=./certs/fullchain.pem +LETSENCRYPT_PRIVKEY_PATH=./certs/privkey.pem +## Exposed ports to the host. Inside the container 80 and 443 will be used +HTTPS_PORT=443 +HTTP_PORT=80 + +# Mattermost settings +## Inside the container the uid and gid is 2000. The folder owner can be set with +## `sudo chown -R 2000:2000 ./data/mattermost`. +MATTERMOST_CONFIG_PATH=./data/mattermost/config +MATTERMOST_DATA_PATH=./data/mattermost/data +MATTERMOST_LOGS_PATH=./data/mattermost/logs +MATTERMOST_PLUGINS_PATH=./data/mattermost/plugins +MATTERMOST_CLIENT_PLUGINS_PATH=./data/mattermost/client-plugins + +## Configuration settings for Mattermost. Documentation on the variables and the settings itself can be found at +## https://docs.mattermost.com/administration/config-settings.html +## Keep in mind that variables set here will take precedence over the same setting in config.json. This includes +## the system console as well and settings set with env variables will be greyed out. + +## Below one can find necessary settings to spin up the Mattermost container +MM_SQLSETTINGS_DRIVERNAME=postgres +MM_SQLSETTINGS_DATASOURCE=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable&connect_timeout=10 + +## Example settings (any additional setting added here also needs to be introduced in the docker-compose.yml) +MM_SERVICESETTINGS_SITEURL=https://mm.example.com +MM_LOGSETTINGS_CONSOLELEVEL=debug +MM_LOGSETTINGS_FILELEVEL=debug +MM_PASSWORDSETTINGS_MINIMUMLENGTH=6 +MM_PASSWORDSETTINGS_SYMBOL='false' +MM_PASSWORDSETTINGS_UPPERCASE='false' diff --git a/nginx/mattermost.conf b/nginx/mattermost.conf new file mode 100644 index 0000000..cc7c0b2 --- /dev/null +++ b/nginx/mattermost.conf @@ -0,0 +1,131 @@ +# mattermost +# config can be tested on https://www.ssllabs.com/ssltest/ and a good nginx config generator https://ssl-config.mozilla.org/ + +# proxy cache +proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off; + +# upstream - is being used in locations' proxy_pass below +upstream backend { + # ip where Mattermost is running + server mattermost:8065; + keepalive 64; +} + +# vhosts definitions +server { + server_name _; + listen 80; + listen [::]:80; + + # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. + return 301 https://$host$request_uri; +} + +server { + server_name _; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ## ssl + # to generate the DH params execute: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096 + # with 4096 bits this can take a while; 2048 would be sufficient as well + #ssl_dhparam /etc/nginx/ssl/dhparam.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate + ssl_certificate /fullchain.pem; + ssl_certificate_key /privkey.pem; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + #ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; + + ## security headers + # https://securityheaders.com/ + # https://scotthelme.co.uk/tag/security-headers/ + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + # logging + access_log /var/log/nginx/mm.access.log; + error_log /var/log/nginx/mm.error.log warn; + + # max allowed size of uploaded files + client_max_body_size 256M; + + # gzip for performance + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; + + ## locations + # ACME-challenge + location ^~ /.well-known { + default_type "text/plain"; + root /usr/share/nginx/html; + allow all; + } + + # disable Google bots from indexing this site + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + + # API websocket location + location ~ /api/v[0-9]+/(users/)?websocket$ { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + client_max_body_size 50M; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + client_body_timeout 60; + send_timeout 300; + lingering_timeout 5; + proxy_connect_timeout 90; + proxy_send_timeout 300; + proxy_read_timeout 90s; + proxy_pass http://backend; + } + + # reverse proxy location + location / { + client_max_body_size 50M; + proxy_set_header Connection ""; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + proxy_read_timeout 600s; + proxy_cache mattermost_cache; + proxy_cache_revalidate on; + proxy_cache_min_uses 2; + proxy_cache_use_stale timeout; + proxy_cache_lock on; + proxy_http_version 1.1; + proxy_pass http://backend; + } +}