fix(mastodon): mount host user into container properly
This commit is contained in:
parent
6a0924c72c
commit
275976f1e6
GPG Key ID:
03624C433676E465
@ -11,6 +11,8 @@ mastodon_data_path: "{{ mastodon_base_path }}/data"
|
|||||||
mastodon_repo_path: "{{ mastodon_base_path }}/src"
|
mastodon_repo_path: "{{ mastodon_base_path }}/src"
|
||||||
mastodon_config_path: "{{ mastodon_base_path }}/config"
|
mastodon_config_path: "{{ mastodon_base_path }}/config"
|
||||||
mastodon_config_env_file: "{{ mastodon_config_path }}/env.production"
|
mastodon_config_env_file: "{{ mastodon_config_path }}/env.production"
|
||||||
|
mastodon_config_group_file: "{{ mastodon_config_path }}/mastodon-group"
|
||||||
|
mastodon_config_passwd_file: "{{ mastodon_config_path }}/mastodon-passwd"
|
||||||
mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config"
|
mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config"
|
||||||
mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf"
|
mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf"
|
||||||
mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache"
|
mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache"
|
||||||
@ -29,7 +31,9 @@ mastodon_container_image_ref: "{{ mastodon_container_image_name }}:{{ mastodon_c
|
|||||||
mastodon_container_networks:
|
mastodon_container_networks:
|
||||||
- name: "{{ mastodon_container_network_name }}"
|
- name: "{{ mastodon_container_network_name }}"
|
||||||
|
|
||||||
mastodon_container_base_volumes_streaming: []
|
mastodon_container_base_volumes_streaming:
|
||||||
|
- "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
|
||||||
|
- "{{ mastodon_config_group_file }}:/etc/group:ro"
|
||||||
mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}"
|
mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}"
|
||||||
mastodon_container_volumes_streaming: >-
|
mastodon_container_volumes_streaming: >-
|
||||||
{{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }}
|
{{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }}
|
||||||
@ -42,6 +46,8 @@ mastodon_container_volumes_sidekiq: >-
|
|||||||
|
|
||||||
mastodon_container_base_volumes:
|
mastodon_container_base_volumes:
|
||||||
- "{{ mastodon_repo_path }}/public:/mastodon/public:z"
|
- "{{ mastodon_repo_path }}/public:/mastodon/public:z"
|
||||||
|
- "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
|
||||||
|
- "{{ mastodon_config_group_file }}:/etc/group:ro"
|
||||||
mastodon_container_extra_volumes: []
|
mastodon_container_extra_volumes: []
|
||||||
mastodon_container_volumes: >-
|
mastodon_container_volumes: >-
|
||||||
{{ mastodon_container_base_volumes + mastodon_container_extra_volumes }}
|
{{ mastodon_container_base_volumes + mastodon_container_extra_volumes }}
|
||||||
|
|||||||
@ -43,6 +43,24 @@
|
|||||||
mode: "0640"
|
mode: "0640"
|
||||||
notify: restart-mastodon-nginx
|
notify: restart-mastodon-nginx
|
||||||
|
|
||||||
|
- name: Ensure fake passwd file is templated
|
||||||
|
template:
|
||||||
|
src: passwd.j2
|
||||||
|
dest: "{{ mastodon_config_passwd_file }}"
|
||||||
|
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
|
||||||
|
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
|
||||||
|
mode: "0644"
|
||||||
|
notify: restart-mastodon
|
||||||
|
|
||||||
|
- name: Ensure fake passwd file is templated
|
||||||
|
template:
|
||||||
|
src: group.j2
|
||||||
|
dest: "{{ mastodon_config_group_file }}"
|
||||||
|
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
|
||||||
|
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
|
||||||
|
mode: "0644"
|
||||||
|
notify: restart-mastodon
|
||||||
|
|
||||||
- name: Ensure mastodon git repository is present and up-to-date
|
- name: Ensure mastodon git repository is present and up-to-date
|
||||||
git:
|
git:
|
||||||
repo: "{{ mastodon_git_upstream_url }}"
|
repo: "{{ mastodon_git_upstream_url }}"
|
||||||
@ -52,6 +70,8 @@
|
|||||||
force: no
|
force: no
|
||||||
recursive: yes
|
recursive: yes
|
||||||
track_submodules: yes
|
track_submodules: yes
|
||||||
|
become: yes
|
||||||
|
become_user: "{{ mastodon_user }}"
|
||||||
register: git_repo_info
|
register: git_repo_info
|
||||||
|
|
||||||
- name: Ensure mastodon git repository and children belong to {{ mastodon_user }}
|
- name: Ensure mastodon git repository and children belong to {{ mastodon_user }}
|
||||||
@ -131,6 +151,7 @@
|
|||||||
command: "node ./streaming"
|
command: "node ./streaming"
|
||||||
restart_policy: "{{ mastodon_container_restart_policy }}"
|
restart_policy: "{{ mastodon_container_restart_policy }}"
|
||||||
ports: "{{ mastodon_container_ports_streaming }}"
|
ports: "{{ mastodon_container_ports_streaming }}"
|
||||||
|
user: "{{ mastodon_user }}"
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"]
|
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"]
|
||||||
interval: 5s
|
interval: 5s
|
||||||
@ -148,7 +169,7 @@
|
|||||||
command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\""
|
command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\""
|
||||||
restart_policy: "{{ mastodon_container_restart_policy }}"
|
restart_policy: "{{ mastodon_container_restart_policy }}"
|
||||||
ports: "{{ mastodon_container_ports }}"
|
ports: "{{ mastodon_container_ports }}"
|
||||||
user: "{{ mastodon_user }}"
|
user: "{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}"
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"]
|
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"]
|
||||||
interval: 5s
|
interval: 5s
|
||||||
@ -156,6 +177,12 @@
|
|||||||
start_period: 0s
|
start_period: 0s
|
||||||
timeout: 5s
|
timeout: 5s
|
||||||
|
|
||||||
|
- name: Ensure container paths belong to the mastodon user
|
||||||
|
community.docker.docker_container_exec:
|
||||||
|
container: "{{ mastodon_container_name }}"
|
||||||
|
command: "chown -R {{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }} /opt/mastodon"
|
||||||
|
user: "0"
|
||||||
|
|
||||||
- name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running
|
- name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running
|
||||||
docker_container:
|
docker_container:
|
||||||
name: "{{ mastodon_container_nginx_name }}"
|
name: "{{ mastodon_container_nginx_name }}"
|
||||||
@ -165,12 +192,7 @@
|
|||||||
restart_policy: "{{ mastodon_container_restart_policy }}"
|
restart_policy: "{{ mastodon_container_restart_policy }}"
|
||||||
|
|
||||||
- name: Ensure assets are precompiled
|
- name: Ensure assets are precompiled
|
||||||
docker_container:
|
community.docker.docker_container_exec:
|
||||||
name: "{{ mastodon_container_name }}"
|
container: "{{ mastodon_container_name }}"
|
||||||
env_file: "{{ mastodon_config_env_file }}"
|
command: "bundle exec rails assets:precompile"
|
||||||
command: "bash -c \"bundle exec rails assets:precompile\""
|
|
||||||
user: "{{ mastodon_user }}"
|
|
||||||
tty: yes
|
|
||||||
interactive: yes
|
|
||||||
detach: no
|
|
||||||
when: git_repo_info.before != git_repo_info.after
|
when: git_repo_info.before != git_repo_info.after
|
||||||
|
|||||||
40
roles/mastodon/templates/group.j2
Normal file
40
roles/mastodon/templates/group.j2
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
root:x:0:
|
||||||
|
daemon:x:1:
|
||||||
|
bin:x:2:
|
||||||
|
sys:x:3:
|
||||||
|
adm:x:4:
|
||||||
|
tty:x:5:
|
||||||
|
disk:x:6:
|
||||||
|
lp:x:7:
|
||||||
|
mail:x:8:
|
||||||
|
news:x:9:
|
||||||
|
uucp:x:10:
|
||||||
|
man:x:12:
|
||||||
|
proxy:x:13:
|
||||||
|
kmem:x:15:
|
||||||
|
dialout:x:20:
|
||||||
|
fax:x:21:
|
||||||
|
voice:x:22:
|
||||||
|
cdrom:x:24:
|
||||||
|
floppy:x:25:
|
||||||
|
tape:x:26:
|
||||||
|
sudo:x:27:
|
||||||
|
audio:x:29:
|
||||||
|
dip:x:30:
|
||||||
|
www-data:x:33:
|
||||||
|
backup:x:34:
|
||||||
|
operator:x:37:
|
||||||
|
list:x:38:
|
||||||
|
irc:x:39:
|
||||||
|
src:x:40:
|
||||||
|
gnats:x:41:
|
||||||
|
shadow:x:42:
|
||||||
|
utmp:x:43:
|
||||||
|
video:x:44:
|
||||||
|
sasl:x:45:
|
||||||
|
plugdev:x:46:
|
||||||
|
staff:x:50:
|
||||||
|
games:x:60:
|
||||||
|
users:x:100:
|
||||||
|
nogroup:x:65534:
|
||||||
|
{{ mastodon_user }}:x:{{ mastodon_user_info.group }}:
|
||||||
20
roles/mastodon/templates/passwd.j2
Normal file
20
roles/mastodon/templates/passwd.j2
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
root:x:0:0:root:/root:/bin/bash
|
||||||
|
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
|
||||||
|
bin:x:2:2:bin:/bin:/usr/sbin/nologin
|
||||||
|
sys:x:3:3:sys:/dev:/usr/sbin/nologin
|
||||||
|
sync:x:4:65534:sync:/bin:/bin/sync
|
||||||
|
games:x:5:60:games:/usr/games:/usr/sbin/nologin
|
||||||
|
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
|
||||||
|
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
|
||||||
|
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
|
||||||
|
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
|
||||||
|
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
|
||||||
|
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
|
||||||
|
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
|
||||||
|
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
|
||||||
|
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
|
||||||
|
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
|
||||||
|
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
|
||||||
|
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
|
||||||
|
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
|
||||||
|
{{ mastodon_user }}:x:{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}::/opt/mastodon:/bin/sh
|
||||||
Loading…
Reference in New Issue
Block a user