initial commit

2021-02-25 16:51:58 +01:00 · 2021-02-25 16:51:58 +01:00 · eaf15ccc94
commit eaf15ccc94
4 changed files with 240 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
+data
+certs
+.env
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,58 @@
+version: "3"
+
+services:
+  postgres:
+    container_name: postgres_mattermost
+    image: postgres:alpine
+    restart: unless-stopped
+    volumes:
+      - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - POSTGRES_USER
+      - POSTGRES_PASSWORD
+      - POSTGRES_DB
+
+  nginx:
+    container_name: nginx_mattermost
+    image: nginx:alpine
+    restart: unless-stopped
+    volumes:
+      - ${NGINX_MATTERMOST_CONFIG}:/etc/nginx/conf.d/mattermost.conf:ro
+      - ${LETSENCRYPT_FULLCHAIN_PATH}:/fullchain.pem:ro
+      - ${LETSENCRYPT_PRIVKEY_PATH}:/privkey.pem:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - ${HTTPS_PORT}:443
+      - ${HTTP_PORT}:80
+
+  mattermost:
+    depends_on:
+      - postgres
+      - nginx
+    container_name: mattermost
+    image: mattermost/mattermost-enterprise-edition:latest
+    restart: unless-stopped
+    volumes:
+      - ${MATTERMOST_CONFIG_PATH}/config:/mattermost/config:rw
+      - ${MATTERMOST_DATA_PATH}/data:/mattermost/data:rw
+      - ${MATTERMOST_LOGS_PATH}/logs:/mattermost/logs:rw
+      - ${MATTERMOST_PLUGINS_PATH}/plugins:/mattermost/plugins:rw
+      - ${MATTERMOST_CLIENT_PLUGINS_PATH}/client-plugins:/mattermost/client-plugins:rw
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - MM_SERVICESETTINGS_SITEURL
+      - MM_LOGSETTINGS_CONSOLELEVEL
+      - MM_LOGSETTINGS_FILELEVEL
+      - MM_SQLSETTINGS_DRIVERNAME
+      - MM_SQLSETTINGS_DATASOURCE
+      - MM_PASSWORDSETTINGS_MINIMUMLENGTH
+      - MM_PASSWORDSETTINGS_SYMBOL
+      - MM_PASSWORDSETTINGS_UPPERCASE
+
+#  watchtower:
+#    container_name: watchtower
+#    image: containrrr/watchtower:latest
+#    restart: unless-stopped
+#    volumes:
+#      - /var/run/docker.sock:/var/run/docker.sock
--- a/env.example
+++ b/env.example
@ -0,0 +1,48 @@
+# Postrges settings
+## Documentation for this image and available settings can be found on hub.docker.com
+## https://hub.docker.com/_/postgres
+POSTGRES_USER=mmuser
+POSTGRES_PASSWORD=mmuser_password
+POSTGRES_DB=mattermost
+POSTGRES_DATA_PATH=./data/postgres  # relative paths will work but absolute are preferable
+
+# Nginx
+## The nginx container will use a configuration found at the NGINX_MATTERMOST_CONFIG. The config aims
+## to be secure and uses a catch-all server vhost which will work out-of-the-box. For additional settings
+## or changes ones can edit it or provide another config. Important note: inside the container nginx sources
+## every config file inside */etc/nginx/conf.d* ending with a *.conf*.
+
+## Inside the container the uid and gid is 101. The folder owner can be set with
+## `sudo chown -R 101:101 ./data/mattermost`.
+NGINX_MATTERMOST_CONFIG=./nginx/mattermost.conf
+LETSENCRYPT_FULLCHAIN_PATH=./certs/fullchain.pem
+LETSENCRYPT_PRIVKEY_PATH=./certs/privkey.pem
+## Exposed ports to the host. Inside the container 80 and 443 will be used
+HTTPS_PORT=443
+HTTP_PORT=80
+
+# Mattermost settings
+## Inside the container the uid and gid is 2000. The folder owner can be set with
+## `sudo chown -R 2000:2000 ./data/mattermost`.
+MATTERMOST_CONFIG_PATH=./data/mattermost/config
+MATTERMOST_DATA_PATH=./data/mattermost/data
+MATTERMOST_LOGS_PATH=./data/mattermost/logs
+MATTERMOST_PLUGINS_PATH=./data/mattermost/plugins
+MATTERMOST_CLIENT_PLUGINS_PATH=./data/mattermost/client-plugins
+
+## Configuration settings for Mattermost. Documentation on the variables and the settings itself can be found at
+## https://docs.mattermost.com/administration/config-settings.html
+## Keep in mind that variables set here will take precedence over the same setting in config.json. This includes
+## the system console as well and settings set with env variables will be greyed out.
+
+## Below one can find necessary settings to spin up the Mattermost container
+MM_SQLSETTINGS_DRIVERNAME=postgres
+MM_SQLSETTINGS_DATASOURCE=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable&connect_timeout=10
+
+## Example settings (any additional setting added here also needs to be introduced in the docker-compose.yml)
+MM_SERVICESETTINGS_SITEURL=https://mm.example.com
+MM_LOGSETTINGS_CONSOLELEVEL=debug
+MM_LOGSETTINGS_FILELEVEL=debug
+MM_PASSWORDSETTINGS_MINIMUMLENGTH=6
+MM_PASSWORDSETTINGS_SYMBOL='false'
+MM_PASSWORDSETTINGS_UPPERCASE='false'
--- a/nginx/mattermost.conf
+++ b/nginx/mattermost.conf
@ -0,0 +1,131 @@
+# mattermost
+# config can be tested on https://www.ssllabs.com/ssltest/ and a good nginx config generator https://ssl-config.mozilla.org/
+
+# proxy cache
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
+
+# upstream - is being used in locations' proxy_pass below
+upstream backend {
+    # ip where Mattermost is running
+    server mattermost:8065;
+    keepalive 64;
+}
+
+# vhosts definitions
+server {
+    server_name _;
+    listen 80;
+    listen [::]:80;
+
+    # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
+    return 301 https://$host$request_uri;
+}
+
+server {
+    server_name _;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    ## ssl
+    # to generate the DH params execute: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
+    # with 4096 bits this can take a while; 2048 would be sufficient as well
+    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+    ssl_certificate /fullchain.pem;
+    ssl_certificate_key /privkey.pem;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    #ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+
+    ## security headers
+    # https://securityheaders.com/
+    # https://scotthelme.co.uk/tag/security-headers/
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+
+    # logging
+    access_log /var/log/nginx/mm.access.log;
+    error_log /var/log/nginx/mm.error.log warn;
+
+    # max allowed size of uploaded files
+    client_max_body_size 256M;
+
+    # gzip for performance
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
+
+    ## locations
+    # ACME-challenge
+    location ^~ /.well-known {
+        default_type "text/plain";
+        root /usr/share/nginx/html;
+        allow all;
+    }
+
+    # disable Google bots from indexing this site
+    location = /robots.txt {
+        add_header Content-Type text/plain;
+        return 200 "User-agent: *\nDisallow: /\n";
+    }
+
+    # API websocket location
+    location ~ /api/v[0-9]+/(users/)?websocket$ {
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        client_max_body_size 50M;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Frame-Options SAMEORIGIN;
+        proxy_buffers 256 16k;
+        proxy_buffer_size 16k;
+        client_body_timeout 60;
+        send_timeout 300;
+        lingering_timeout 5;
+        proxy_connect_timeout 90;
+        proxy_send_timeout 300;
+        proxy_read_timeout 90s;
+        proxy_pass http://backend;
+    }
+
+    # reverse proxy location
+    location / {
+        client_max_body_size 50M;
+        proxy_set_header Connection "";
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Frame-Options SAMEORIGIN;
+        proxy_buffers 256 16k;
+        proxy_buffer_size 16k;
+        proxy_read_timeout 600s;
+        proxy_cache mattermost_cache;
+        proxy_cache_revalidate on;
+        proxy_cache_min_uses 2;
+        proxy_cache_use_stale timeout;
+        proxy_cache_lock on;
+        proxy_http_version 1.1;
+        proxy_pass http://backend;
+    }
+}