mirror of
				https://github.com/spantaleev/matrix-docker-ansible-deploy.git
				synced 2025-10-25 09:33:25 +00:00 
			
		
		
		
	This makes all containers (except mautrix-telegram and mautrix-whatsapp), start as a non-root user. We do this, because we don't trust some of the images. In any case, we'd rather not trust ALL images and avoid giving `root` access at all. We can't be sure they would drop privileges or what they might do before they do it. Because Postfix doesn't support running as non-root, it had to be replaced by an Exim mail server. The matrix-nginx-proxy nginx container image is patched up (by replacing its main configuration) so that it can work as non-root. It seems like there's no other good image that we can use and that is up-to-date (https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated). Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/), we patch it up ourselves when starting (replacing the main nginx configuration). Ideally, it would be fixed upstream so we can simplify.
		
			
				
	
	
		
			119 lines
		
	
	
		
			3.7 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			119 lines
		
	
	
		
			3.7 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| ---
 | |
| 
 | |
| #
 | |
| # Generic tasks that we always want to happen, regardless
 | |
| # if the user wants matrix-nginx-proxy or not.
 | |
| #
 | |
| # If the user would set up their own nginx proxy server,
 | |
| # the config files from matrix-nginx-proxy can be reused.
 | |
| #
 | |
| # It doesn't hurt to put them in place, even if they turn out
 | |
| # to be unnecessary.
 | |
| #
 | |
| - name: Ensure Matrix nginx-proxy paths exist
 | |
|   file:
 | |
|     path: "{{ item }}"
 | |
|     state: directory
 | |
|     mode: 0750
 | |
|     owner: "{{ matrix_user_username }}"
 | |
|     group: "{{ matrix_user_username }}"
 | |
|   with_items:
 | |
|     - "{{ matrix_nginx_proxy_data_path }}"
 | |
|     - "{{ matrix_nginx_proxy_confd_path }}"
 | |
| 
 | |
| - name: Ensure Matrix nginx-proxy configured (main config override)
 | |
|   template:
 | |
|     src: "{{ role_path }}/templates/nginx/nginx.conf.j2"
 | |
|     dest: "{{ matrix_nginx_proxy_data_path }}/nginx.conf"
 | |
|     mode: 0644
 | |
|   when: "matrix_nginx_proxy_enabled"
 | |
| 
 | |
| - name: Ensure Matrix nginx-proxy configured (generic)
 | |
|   template:
 | |
|     src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2"
 | |
|     dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf"
 | |
|     mode: 0644
 | |
|   when: "matrix_nginx_proxy_enabled"
 | |
| 
 | |
| - name: Ensure Matrix nginx-proxy configuration for matrix domain exists
 | |
|   template:
 | |
|     src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse.conf.j2"
 | |
|     dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
 | |
|     mode: 0644
 | |
|   when: "matrix_nginx_proxy_proxy_matrix_enabled"
 | |
| 
 | |
| - name: Ensure Matrix nginx-proxy configuration for riot domain exists
 | |
|   template:
 | |
|     src: "{{ role_path }}/templates/nginx/conf.d/matrix-riot-web.conf.j2"
 | |
|     dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
 | |
|     mode: 0644
 | |
|   when: "matrix_nginx_proxy_proxy_riot_enabled"
 | |
| 
 | |
| #
 | |
| # Tasks related to setting up matrix-nginx-proxy
 | |
| #
 | |
| - name: Ensure nginx Docker image is pulled
 | |
|   docker_image:
 | |
|     name: "{{ matrix_nginx_proxy_docker_image }}"
 | |
|   when: matrix_nginx_proxy_enabled
 | |
| 
 | |
| - name: Allow access to nginx proxy ports in firewalld
 | |
|   firewalld:
 | |
|     service: "{{ item }}"
 | |
|     state: enabled
 | |
|     immediate: yes
 | |
|     permanent: yes
 | |
|   with_items:
 | |
|     - "http"
 | |
|     - "https"
 | |
|   when: "matrix_nginx_proxy_enabled and ansible_os_family == 'RedHat'"
 | |
| 
 | |
| - name: Ensure matrix-nginx-proxy.service installed
 | |
|   template:
 | |
|     src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2"
 | |
|     dest: "/etc/systemd/system/matrix-nginx-proxy.service"
 | |
|     mode: 0644
 | |
|   when: matrix_nginx_proxy_enabled
 | |
| 
 | |
| 
 | |
| #
 | |
| # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled)
 | |
| #
 | |
| 
 | |
| - name: Check existence of matrix-nginx-proxy service
 | |
|   stat:
 | |
|     path: "/etc/systemd/system/matrix-nginx-proxy.service"
 | |
|   register: matrix_nginx_proxy_service_stat
 | |
| 
 | |
| - name: Ensure matrix-nginx-proxy is stopped
 | |
|   service:
 | |
|     name: matrix-nginx-proxy
 | |
|     state: stopped
 | |
|     daemon_reload: yes
 | |
|   register: stopping_result
 | |
|   when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
 | |
| 
 | |
| - name: Ensure matrix-nginx-proxy.service doesn't exist
 | |
|   file:
 | |
|     path: "/etc/systemd/system/matrix-nginx-proxy.service"
 | |
|     state: absent
 | |
|   when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
 | |
| 
 | |
| - name: Ensure Matrix nginx-proxy configuration for matrix domain deleted
 | |
|   file:
 | |
|     path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
 | |
|     state: absent
 | |
|   when: "not matrix_nginx_proxy_proxy_matrix_enabled"
 | |
| 
 | |
| - name: Ensure Matrix nginx-proxy configuration for riot domain deleted
 | |
|   file:
 | |
|     path: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
 | |
|     state: absent
 | |
|   when: "not matrix_nginx_proxy_proxy_riot_enabled"
 | |
| 
 | |
| - name: Ensure Matrix nginx-proxy configuration for main config override deleted
 | |
|   file:
 | |
|     path: "{{ matrix_nginx_proxy_data_path }}/nginx.conf"
 | |
|     state: absent
 | |
|   when: "not matrix_nginx_proxy_enabled"
 |