299a8c4c7c
This makes all containers (except mautrix-telegram and mautrix-whatsapp), start as a non-root user. We do this, because we don't trust some of the images. In any case, we'd rather not trust ALL images and avoid giving `root` access at all. We can't be sure they would drop privileges or what they might do before they do it. Because Postfix doesn't support running as non-root, it had to be replaced by an Exim mail server. The matrix-nginx-proxy nginx container image is patched up (by replacing its main configuration) so that it can work as non-root. It seems like there's no other good image that we can use and that is up-to-date (https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated). Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/), we patch it up ourselves when starting (replacing the main nginx configuration). Ideally, it would be fixed upstream so we can simplify.
31 lines
810 B
YAML
31 lines
810 B
YAML
---
|
|
|
|
- name: Fail if using unsupported SSL certificate retrieval method
|
|
fail:
|
|
msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value"
|
|
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed']"
|
|
|
|
|
|
# Common tasks, required by any method below.
|
|
|
|
- name: Ensure SSL certificate paths exists
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
mode: 0770
|
|
owner: "{{ matrix_user_username }}"
|
|
group: "{{ matrix_user_username }}"
|
|
recurse: true
|
|
with_items:
|
|
- "{{ matrix_ssl_log_dir_path }}"
|
|
- "{{ matrix_ssl_config_dir_path }}"
|
|
|
|
|
|
# Method specific tasks follow
|
|
|
|
- import_tasks: tasks/ssl/setup_ssl_lets_encrypt.yml
|
|
|
|
- import_tasks: tasks/ssl/setup_ssl_self_signed.yml
|
|
|
|
- import_tasks: tasks/ssl/setup_ssl_manually_managed.yml
|