Docker for mattermost in production

1. Put cert.pem into web/cert and key-no-password.pem into web/cert/private.
2. docker-compose up -d

The settings of the servers are based on
https://github.com/mattermost/platform/blob/master/doc/install/Production-Ubuntu.md.

app/config_docker.json is based on
https://raw.githubusercontent.com/mattermost/platform/master/config/config.json.

app/Dockerfile

@@ -0,0 +1,23 @@
+FROM ubuntu:14.04
+
+RUN apt-get update && apt-get -y upgrade && apt-get -y install wget
+RUN mkdir -p /mattermost/data
+
+RUN touch /etc/init/mattermost.conf
+RUN echo $'start on runlevel [2345]\n\
+stop on runlevel [016]\n\
+respawn\n\
+chdir /mattermost\n\
+exec bin/platform\n'\
+>> /etc/init/mattermost.conf
+
+RUN wget https://github.com/mattermost/platform/releases/download/v1.2.1/mattermost.tar.gz \
+	&& tar -xvzf mattermost.tar.gz && rm mattermost.tar.gz
+
+ADD config_docker.json /
+ADD docker-entry.sh /
+
+RUN chmod +x /docker-entry.sh
+ENTRYPOINT /docker-entry.sh
+
+EXPOSE 80

app/config_docker.json

@@ -0,0 +1,95 @@
+{
+    "ServiceSettings": {
+        "ListenAddress": ":80",
+        "MaximumLoginAttempts": 10,
+        "SegmentDeveloperKey": "",
+        "GoogleDeveloperKey": "",
+        "EnableOAuthServiceProvider": false,
+        "EnableIncomingWebhooks": false,
+        "EnableOutgoingWebhooks": false,
+        "EnablePostUsernameOverride": false,
+        "EnablePostIconOverride": false,
+        "EnableTesting": false,
+        "EnableSecurityFixAlert": true
+    },
+    "TeamSettings": {
+        "SiteName": "Mattermost",
+        "MaxUsersPerTeam": 50,
+        "EnableTeamCreation": true,
+        "EnableUserCreation": true,
+        "RestrictCreationToDomains": "",
+        "RestrictTeamNames": true,
+        "EnableTeamListing": false
+    },
+    "SqlSettings": {
+        "DriverName": "postgres",
+        "DataSource": "postgres://mmuser:mmuser_password@PG_ADDR:PG_PORT/mattermost?sslmode=disable&connect_timeout=10",
+        "DataSourceReplicas": [],
+        "MaxIdleConns": 10,
+        "MaxOpenConns": 10,
+        "Trace": false,
+        "AtRestEncryptKey": "7rAh6iwQCkV4cA1Gsg3fgGOXJAQ43QVg"
+    },
+    "LogSettings": {
+        "EnableConsole": false,
+        "ConsoleLevel": "INFO",
+        "EnableFile": true,
+        "FileLevel": "INFO",
+        "FileFormat": "",
+        "FileLocation": ""
+    },
+    "FileSettings": {
+        "DriverName": "local",
+        "Directory": "/mattermost/data/",
+        "EnablePublicLink": true,
+        "PublicLinkSalt": "A705AklYF8MFDOfcwh3I488G8vtLlVip",
+        "ThumbnailWidth": 120,
+        "ThumbnailHeight": 100,
+        "PreviewWidth": 1024,
+        "PreviewHeight": 0,
+        "ProfileWidth": 128,
+        "ProfileHeight": 128,
+        "InitialFont": "luximbi.ttf",
+        "AmazonS3AccessKeyId": "",
+        "AmazonS3SecretAccessKey": "",
+        "AmazonS3Bucket": "",
+        "AmazonS3Region": ""
+    },
+    "EmailSettings": {
+        "EnableSignUpWithEmail": true,
+        "SendEmailNotifications": false,
+        "RequireEmailVerification": false,
+        "FeedbackName": "",
+        "FeedbackEmail": "",
+        "SMTPUsername": "",
+        "SMTPPassword": "",
+        "SMTPServer": "",
+        "SMTPPort": "",
+        "ConnectionSecurity": "",
+        "InviteSalt": "bjlSR4QqkXFBr7TP4oDzlfZmcNuH9YoS",
+        "PasswordResetSalt": "vZ4DcKyVVRlKHHJpexcuXzojkE5PZ5eL",
+        "ApplePushServer": "",
+        "ApplePushCertPublic": "",
+        "ApplePushCertPrivate": ""
+    },
+    "RateLimitSettings": {
+        "EnableRateLimiter": true,
+        "PerSec": 10,
+        "MemoryStoreSize": 10000,
+        "VaryByRemoteAddr": true,
+        "VaryByHeader": ""
+    },
+    "PrivacySettings": {
+        "ShowEmailAddress": true,
+        "ShowFullName": true
+    },
+    "GitLabSettings": {
+        "Enable": false,
+        "Secret": "",
+        "Id": "",
+        "Scope": "",
+        "AuthEndpoint": "",
+        "TokenEndpoint": "",
+        "UserApiEndpoint": ""
+    }
+}

app/docker-entry.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+echo Starting Platform
+sed -Ei "s/PG_ADDR/$PG_PORT_5432_TCP_ADDR/" /config_docker.json
+sed -Ei "s/PG_PORT/$PG_PORT_5432_TCP_PORT/" /config_docker.json
+cd /mattermost/bin
+./platform -config=/config_docker.json

db/Dockerfile

@@ -0,0 +1,4 @@
+FROM postgres
+ 
+ADD make_db.sh /docker-entrypoint-initdb.d/
+

db/make_db.sh

@@ -0,0 +1,6 @@
+export PGUSER=postgres
+psql <<- EOSQL
+    CREATE DATABASE mattermost;
+    CREATE USER mmuser WITH PASSWORD 'mmuser_password';
+    GRANT ALL PRIVILEGES ON DATABASE mattermost to mmuser;
+EOSQL

docker-compose.yml

@@ -0,0 +1,16 @@
+db:
+  build: db
+  ports:
+    - "5432"
+app:
+  build: app
+  links:
+    - db:pg
+  ports:
+    - "80"
+web:
+  build: web
+  ports:
+    - "8066:443"
+  links:
+    - app:platform

web/Dockerfile

@@ -0,0 +1,25 @@
+FROM ubuntu:14.04
+
+RUN apt-get update && apt-get install -y nginx
+
+RUN rm /etc/nginx/sites-enabled/default
+RUN ln -s /etc/nginx/sites-available/mattermost /etc/nginx/sites-enabled/mattermost
+
+ADD mattermost /etc/nginx/sites-available/
+ADD docker-entry.sh /
+
+RUN mkdir /cert
+ADD cert/cert.pem /cert
+ADD cert/private/key-no-password.pem /cert
+
+RUN chmod +x /docker-entry.sh
+
+# Define mountable directories.
+VOLUME ["/etc/nginx/sites-enabled", "/etc/nginx/certs", "/etc/nginx/conf.d", "/var/log/nginx", "/var/www/html"]
+
+# Define working directory.
+WORKDIR /etc/nginx
+
+ENTRYPOINT /docker-entry.sh
+
+EXPOSE 80 443

web/docker-entry.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+echo Starting Nginx
+sed -Ei "s/PLATFORM_ADDR/$PLATFORM_PORT_80_TCP_ADDR/" /etc/nginx/sites-available/mattermost
+sed -Ei "s/PLATFORM_PORT/$PLATFORM_PORT_80_TCP_PORT/" /etc/nginx/sites-available/mattermost
+nginx -g 'daemon off;'

web/mattermost

@@ -0,0 +1,35 @@
+server {
+    listen         80;
+    server_name    chat.navercorp.com;
+    return         301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443;
+    server_name chat.navercorp.com;
+
+    ssl on;
+    ssl_certificate /cert/cert.pem;
+    ssl_certificate_key /cert/key-no-password.pem;
+    ssl_session_timeout 5m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers HIGH:MEDIUM:!SSLv2:!PSK:!SRP:!ADH:!AECDH;
+    ssl_prefer_server_ciphers on;
+
+    location / {
+        gzip off;
+        proxy_set_header X-Forwarded-Ssl on;
+
+        client_max_body_size 50M;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header   X-Frame-Options   SAMEORIGIN;
+        proxy_pass http://PLATFORM_ADDR:PLATFORM_PORT;
+    }
+}
+
+# See https://github.com/mattermost/platform/blob/master/doc/install/Production-Ubuntu.md for the SSL configuration