299a8c4c7c
This makes all containers (except mautrix-telegram and mautrix-whatsapp), start as a non-root user. We do this, because we don't trust some of the images. In any case, we'd rather not trust ALL images and avoid giving `root` access at all. We can't be sure they would drop privileges or what they might do before they do it. Because Postfix doesn't support running as non-root, it had to be replaced by an Exim mail server. The matrix-nginx-proxy nginx container image is patched up (by replacing its main configuration) so that it can work as non-root. It seems like there's no other good image that we can use and that is up-to-date (https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated). Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/), we patch it up ourselves when starting (replacing the main nginx configuration). Ideally, it would be fixed upstream so we can simplify.
75 lines
2.1 KiB
YAML
75 lines
2.1 KiB
YAML
---
|
|
|
|
#
|
|
# Tasks related to setting up riot-web
|
|
#
|
|
|
|
- name: Ensure Matrix riot-web path exists
|
|
file:
|
|
path: "{{ matrix_riot_web_data_path }}"
|
|
state: directory
|
|
mode: 0750
|
|
owner: "{{ matrix_user_username }}"
|
|
group: "{{ matrix_user_username }}"
|
|
when: matrix_riot_web_enabled
|
|
|
|
- name: Ensure riot-web Docker image is pulled
|
|
docker_image:
|
|
name: "{{ matrix_riot_web_docker_image }}"
|
|
when: matrix_riot_web_enabled
|
|
|
|
- name: Ensure Matrix riot-web configured
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ matrix_riot_web_data_path }}/{{ item.name }}"
|
|
mode: 0644
|
|
owner: "{{ matrix_user_username }}"
|
|
group: "{{ matrix_user_username }}"
|
|
with_items:
|
|
- {src: "{{ role_path }}/templates/config.json.j2", name: "config.json"}
|
|
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
|
|
- {src: "{{ matrix_riot_web_homepage_template }}", name: "home.html"}
|
|
when: matrix_riot_web_enabled
|
|
|
|
- name: Ensure matrix-riot-web.service installed
|
|
template:
|
|
src: "{{ role_path }}/templates/systemd/matrix-riot-web.service.j2"
|
|
dest: "/etc/systemd/system/matrix-riot-web.service"
|
|
mode: 0644
|
|
when: matrix_riot_web_enabled
|
|
|
|
#
|
|
# Tasks related to getting rid of riot-web (if it was previously enabled)
|
|
#
|
|
|
|
- name: Check existence of matrix-riot-web service
|
|
stat:
|
|
path: "/etc/systemd/system/matrix-riot-web.service"
|
|
register: matrix_riot_web_service_stat
|
|
|
|
- name: Ensure matrix-riot-web is stopped
|
|
service:
|
|
name: matrix-riot-web
|
|
state: stopped
|
|
daemon_reload: yes
|
|
register: stopping_result
|
|
when: "not matrix_riot_web_enabled and matrix_riot_web_service_stat.stat.exists"
|
|
|
|
- name: Ensure matrix-riot-web.service doesn't exist
|
|
file:
|
|
path: "/etc/systemd/system/matrix-riot-web.service"
|
|
state: absent
|
|
when: "not matrix_riot_web_enabled and matrix_riot_web_service_stat.stat.exists"
|
|
|
|
- name: Ensure Matrix riot-web paths doesn't exist
|
|
file:
|
|
path: "{{ matrix_riot_web_data_path }}"
|
|
state: absent
|
|
when: "not matrix_riot_web_enabled"
|
|
|
|
- name: Ensure riot-web Docker image doesn't exist
|
|
docker_image:
|
|
name: "{{ matrix_riot_web_docker_image }}"
|
|
state: absent
|
|
when: "not matrix_riot_web_enabled"
|