From e6beb736d3d5a208080dfe7e2cd8f238be4e8451 Mon Sep 17 00:00:00 2001 From: "artem.drozdov" Date: Fri, 17 May 2024 14:27:29 +0300 Subject: [PATCH] Update docker-compose --- docker-compose.yml | 136 ++++++++++++++++++++++++++++++++++++++++++++ nginx/loop-ssl.conf | 58 +++++++++++++++++++ 2 files changed, 194 insertions(+) create mode 100644 docker-compose.yml create mode 100644 nginx/loop-ssl.conf diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..c206ac3 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,136 @@ +version: "3.9" +services: + reverse: + container_name: nginx + hostname: nginx + image: nginx + ports: + - "80:80" + - "443:443" + volumes: + - ./nginx:/etc/nginx/conf.d + - ./cert:/etc/nginx/ssl + networks: + - loop-network + depends_on: + - loop + + loop: + image: "registry.loop.ru/loop/server:2024-02-05-SNAPSHOT-3" + restart: "unless-stopped" + depends_on: + - "db" + - "s3" + ports: + - "8065" + - "8443:8443/udp" + + environment: + MM_CALLS_RTCD_URL: "http://rtcd.loop.ru:33045" #This is the URL for interacting with the RTC (Real-Time Communication) server, which handles calls in real time. + MM_EMAILSETTINGS_PUSHNOTIFICATIONSERVER: "https://push.loop.ru" #This evn indicates the server that sends push notifications. + MM_EMAILSETTINGS_SENDPUSHNOTIFICATIONS: "true" #This env indicates whether push notifications are allowed for email + MM_EXPERIMENTALSETTINGS_ENABLEAPPBAR: "true" #This env indicates whether the application panel is enabled + MM_FEATUREFLAGS_AppsEnabled: "true" #Indicates the availability and ability to use certain applications or functions, for example, access to the gallery to download images + MM_FILESETTINGS_AMAZONS3ACCESSKEYID: "" #Access Key ID to access s3 storage + MM_FILESETTINGS_AMAZONS3BUCKET: "looponprem-bucket" #The name of the S3 bucket where the files are stored + MM_FILESETTINGS_AMAZONS3ENDPOINT: "minio:9000" #The URL of the S3 storage endpoint + MM_FILESETTINGS_AMAZONS3PATHPREFIX: "loop" #This option allows you to specify the path to files on S3 + MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: "" #The secret key for accessing S3 storage + MM_FILESETTINGS_AMAZONS3SSE: "false" #Env indicates whether SSL (Server-Side Encryption) is enabled for S3 + MM_FILESETTINGS_AMAZONS3SSL: "false" #Env indicates whether the connection to Amazon S3 should take place over SSL + MM_FILESETTINGS_DRIVERNAME: "amazons3" #The name of the driver for working with files + MM_FILESETTINGS_MAXFILESIZE: 1048576000 #The maximum file size to download, specified in bytes. + MM_JOBSETTINGS_RUNJOBS: "false" #Specifies whether job should be performed + MM_JOBSETTINGS_RUNSCHEDULER: "false" #The flag indicates whether the task scheduler should be started + MM_LOGSETTINGS_CONSOLEJSON: "false" #The flag indicates whether the output to the console should be in JSON format + MM_LOGSETTINGS_CONSOLELEVEL: "DEBUG" #Logging level for console output + MM_LOGSETTINGS_FILELEVEL: "DEBUG" #The logging level for writing to a file + MM_PLUGINSETTINGS_AUTOMATICPREPACKAGEDPLUGINS: "true" #The flag indicates whether automatic loading of pre-packaged plugins is allowed + MM_PLUGINSETTINGS_ENABLEUPLOADS: "true" #The flag indicates whether plugin downloads are allowed + MM_SERVICEENVIRONMENT: "production" #The environment in which the application is running (for example, "production") + MM_SERVICESETTINGS_ENABLEBOTACCOUNTCREATION: "true" #The flag indicates whether the creation of bot accounts is allowed + MM_SERVICESETTINGS_ENABLECUSTOMEMOJI: "true" #Responsible for the ability to use custom emojis in the service or application + MM_SERVICESETTINGS_ENABLEDEVELOPER: "true" #The flag indicates whether developer mode is enabled + MM_SERVICESETTINGS_ENABLELINKPREVIEWS: "true" #Responsible for the setting that allows you to activate or deactivate the preview of links in the application or service + MM_SERVICESETTINGS_ENABLEOAUTHSERVICEPROVIDER: "true" #It is used to determine whether the use of third-party OAuth service providers is allowed + MM_SERVICESETTINGS_ENABLETESTING: "true" #The flag indicates whether testing is allowed + MM_SERVICESETTINGS_ENABLEUSERACCESSTOKENS: "true" #The flag indicates whether user access tokens are allowed + MM_SERVICESETTINGS_GIPHYSDKKEY: "" #Giphy SDK key for integration with Giphy + MM_SERVICESETTINGS_LICENSEFILELOCATION: "/mattermost/config/license.txt" #The path to the license file + MM_SERVICESETTINGS_LISTENADDRESS: ":8065" #The address and port on which the service is listening. + MM_SERVICESETTINGS_SITEURL: "https://loop.example.com" #The public URL of the service. + MM_SQLSETTINGS_DATASOURCE: "postgres://loopuser:@db/loop_db?sslmode=disable\u0026connect_timeout=10" #Data source for connecting to the PostgreSQL database + MM_SQLSETTINGS_DRIVERNAME: "postgres" #Name of the database driver + MM_TEAMSETTINGS_MAXUSERSPERTEAM: 500 #Maximum number of users per team + + + volumes: + - loop-config:/mattermost/config/:rw + - loop-data:/mattermost/data/:rw + - loop-logs:/mattermost/logs/:rw + - loop-plugins:/mattermost/plugins/:rw + - loop-client-plugins:/mattermost/client/plugins/:rw + + networks: + - loop-network + + db: + image: "postgres" + restart: "unless-stopped" + environment: + POSTGRES_PASSWORD: "" + POSTGRES_USER: "loopuser" + POSTGRES_DB: "loop_db" + volumes: + - ./db:/var/lib/postgresql/data + networks: + - loop-network + + s3: + container_name: minio + image: minio/minio:RELEASE.2022-08-26T19-53-15Z + restart: unless-stopped + environment: + MINIO_ROOT_USER: + MINIO_ROOT_PASSWORD: + command: server --address :9000 --console-address :9001 /data + ports: + - "9000" + - "9001" + volumes: + - ./minio:/data + networks: + - loop-network + + s3-client: + container_name: minio-client + image: minio/mc:RELEASE.2022-08-28T20-08-11Z + volumes: + - ./minio:/tmp/policies + environment: + AWS_ACCESS_KEY_ID: + AWS_SECRET_ACCESS_KEY: + entrypoint: > + /bin/sh -c " + until (/usr/bin/mc config host add loop http://minio:9000 ) do echo '...waiting...' && sleep 1; done; + /usr/bin/mc mb loop/looponprem-bucket; + /usr/bin/mc admin user add loop ; + /usr/bin/mc admin policy set loop readwrite user=; + exit 0; + " + networks: + - loop-network + depends_on: + - s3 + +networks: + loop-network: + +volumes: + db: + minio: + loop-config: + loop-data: + loop-logs: + loop-plugins: + loop-client-plugins: \ No newline at end of file diff --git a/nginx/loop-ssl.conf b/nginx/loop-ssl.conf new file mode 100644 index 0000000..af9006a --- /dev/null +++ b/nginx/loop-ssl.conf @@ -0,0 +1,58 @@ +server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; +} + +map $http_x_forwarded_proto $proxy_x_forwarded_proto { + default $http_x_forwarded_proto; + '' $scheme; +} + +server { + listen 443 ssl http2; + server_name loop.example.com; + + ssl_certificate /etc/nginx/ssl/server.crt; + ssl_certificate_key /etc/nginx/ssl/server.key; + ssl_session_timeout 5m; + ssl_protocols TLSv1.2 TLSv1.3; + # Please update the ciphers in this file every 6 months. + # https://ssl-config.mozilla.org/ + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + location ~ /api/v[0-9]+/(users/)?websocket$ { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header Connection "upgrade"; + + client_max_body_size 50M; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + proxy_read_timeout 600s; + proxy_pass http://loop:8065; + } + + location / { + gzip on; + proxy_set_header X-Forwarded-Ssl on; + + client_max_body_size 50M; + proxy_set_header Connection ""; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + proxy_read_timeout 600s; + proxy_pass http://loop:8065; + } +}