From 275976f1e61b0fded4e3cb3dea693ae9efe60df6 Mon Sep 17 00:00:00 2001
From: Johanna Dorothea Reichmann <transcaffeine@finallycoffee.eu>
Date: Fri, 26 Aug 2022 11:26:58 +0200
Subject: [PATCH] fix(mastodon): mount host user into container properly

---
 roles/mastodon/defaults/main.yml   |  8 +++++-
 roles/mastodon/tasks/main.yml      | 40 +++++++++++++++++++++++-------
 roles/mastodon/templates/group.j2  | 40 ++++++++++++++++++++++++++++++
 roles/mastodon/templates/passwd.j2 | 20 +++++++++++++++
 4 files changed, 98 insertions(+), 10 deletions(-)
 create mode 100644 roles/mastodon/templates/group.j2
 create mode 100644 roles/mastodon/templates/passwd.j2

diff --git a/roles/mastodon/defaults/main.yml b/roles/mastodon/defaults/main.yml
index 3296e0a..d261a0c 100644
--- a/roles/mastodon/defaults/main.yml
+++ b/roles/mastodon/defaults/main.yml
@@ -11,6 +11,8 @@ mastodon_data_path: "{{ mastodon_base_path }}/data"
 mastodon_repo_path: "{{ mastodon_base_path }}/src"
 mastodon_config_path: "{{ mastodon_base_path }}/config"
 mastodon_config_env_file: "{{ mastodon_config_path }}/env.production"
+mastodon_config_group_file: "{{ mastodon_config_path }}/mastodon-group"
+mastodon_config_passwd_file: "{{ mastodon_config_path }}/mastodon-passwd"
 mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config"
 mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf"
 mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache"
@@ -29,7 +31,9 @@ mastodon_container_image_ref: "{{ mastodon_container_image_name }}:{{ mastodon_c
 mastodon_container_networks:
   - name: "{{ mastodon_container_network_name }}"
 
-mastodon_container_base_volumes_streaming: []
+mastodon_container_base_volumes_streaming:
+  - "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
+  - "{{ mastodon_config_group_file }}:/etc/group:ro"
 mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}"
 mastodon_container_volumes_streaming: >-
   {{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }}
@@ -42,6 +46,8 @@ mastodon_container_volumes_sidekiq: >-
 
 mastodon_container_base_volumes:
   - "{{ mastodon_repo_path }}/public:/mastodon/public:z"
+  - "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
+  - "{{ mastodon_config_group_file }}:/etc/group:ro"
 mastodon_container_extra_volumes: []
 mastodon_container_volumes: >-
   {{ mastodon_container_base_volumes + mastodon_container_extra_volumes }}
diff --git a/roles/mastodon/tasks/main.yml b/roles/mastodon/tasks/main.yml
index 98caf9d..9997181 100644
--- a/roles/mastodon/tasks/main.yml
+++ b/roles/mastodon/tasks/main.yml
@@ -43,6 +43,24 @@
     mode: "0640"
   notify: restart-mastodon-nginx
 
+- name: Ensure fake passwd file is templated
+  template:
+    src: passwd.j2
+    dest: "{{ mastodon_config_passwd_file }}"
+    owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
+    group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
+    mode: "0644"
+  notify: restart-mastodon
+
+- name: Ensure fake passwd file is templated
+  template:
+    src: group.j2
+    dest: "{{ mastodon_config_group_file }}"
+    owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
+    group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
+    mode: "0644"
+  notify: restart-mastodon
+
 - name: Ensure mastodon git repository is present and up-to-date
   git:
     repo: "{{ mastodon_git_upstream_url }}"
@@ -52,6 +70,8 @@
     force: no
     recursive: yes
     track_submodules: yes
+  become: yes
+  become_user: "{{ mastodon_user }}"
   register: git_repo_info
 
 - name: Ensure mastodon git repository and children belong to {{ mastodon_user }}
@@ -131,6 +151,7 @@
     command: "node ./streaming"
     restart_policy: "{{ mastodon_container_restart_policy }}"
     ports: "{{ mastodon_container_ports_streaming }}"
+    user: "{{ mastodon_user }}"
     healthcheck:
       test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"]
       interval: 5s
@@ -148,7 +169,7 @@
     command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\""
     restart_policy: "{{ mastodon_container_restart_policy }}"
     ports: "{{ mastodon_container_ports }}"
-    user: "{{ mastodon_user }}"
+    user: "{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}"
     healthcheck:
       test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"]
       interval: 5s
@@ -156,6 +177,12 @@
       start_period: 0s
       timeout: 5s
 
+- name: Ensure container paths belong to the mastodon user
+  community.docker.docker_container_exec:
+    container: "{{ mastodon_container_name }}"
+    command: "chown -R {{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }} /opt/mastodon"
+    user: "0"
+
 - name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running
   docker_container:
     name: "{{ mastodon_container_nginx_name }}"
@@ -165,12 +192,7 @@
     restart_policy: "{{ mastodon_container_restart_policy }}"
 
 - name: Ensure assets are precompiled
-  docker_container:
-    name: "{{ mastodon_container_name }}"
-    env_file: "{{ mastodon_config_env_file }}"
-    command: "bash -c \"bundle exec rails assets:precompile\""
-    user: "{{ mastodon_user }}"
-    tty: yes
-    interactive: yes
-    detach: no
+  community.docker.docker_container_exec:
+    container: "{{ mastodon_container_name }}"
+    command: "bundle exec rails assets:precompile"
   when: git_repo_info.before != git_repo_info.after
diff --git a/roles/mastodon/templates/group.j2 b/roles/mastodon/templates/group.j2
new file mode 100644
index 0000000..0b3e147
--- /dev/null
+++ b/roles/mastodon/templates/group.j2
@@ -0,0 +1,40 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+{{ mastodon_user }}:x:{{ mastodon_user_info.group }}:
diff --git a/roles/mastodon/templates/passwd.j2 b/roles/mastodon/templates/passwd.j2
new file mode 100644
index 0000000..a5220d3
--- /dev/null
+++ b/roles/mastodon/templates/passwd.j2
@@ -0,0 +1,20 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+{{ mastodon_user }}:x:{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}::/opt/mastodon:/bin/sh