finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make (most) containers start as non-root

Browse Source 
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
This commit is contained in:
Slavi Pantaleev
2019-01-27 20:25:13 +02:00
parent 56d501679d
commit 299a8c4c7c
24 changed files with 265 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
roles/matrix-mailer/defaults/main.yml
View File

@ -2,7 +2,12 @@ matrix_mailer_enabled: true
matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer"
matrix_mailer_docker_image: "panubo/postfix:latest"
matrix_mailer_docker_image: "devture/exim-relay:4.91-r1-0"
# The user/group that the container runs with.
# These match the `exim` user/group within the container image.
matrix_mailer_container_user_uid: 100
matrix_mailer_container_user_gid: 101
matrix_mailer_sender_address: "matrix@{{ hostname_identity }}"
matrix_mailer_relay_use: false
@ -10,4 +15,4 @@ matrix_mailer_relay_host_name: "mail.example.com"
matrix_mailer_relay_host_port: 587
matrix_mailer_relay_auth: false
matrix_mailer_relay_auth_username: ""
matrix_mailer_relay_auth_password: ""
matrix_mailer_relay_auth_password: ""

9
roles/matrix-mailer/templates/env-mailer.j2
View File

@ -1,8 +1,7 @@
MAILNAME={{ hostname_matrix }}
{% if matrix_mailer_relay_use %}
RELAYHOST={{ matrix_mailer_relay_host_name }}:{{ matrix_mailer_relay_host_port }}
SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port }}
{% endif %}
{% if matrix_mailer_relay_auth %}
RELAYHOST_AUTH=yes
RELAYHOST_PASSWORDMAP={{ matrix_mailer_relay_host_name }}:{{ matrix_mailer_relay_auth_username }}:{{ matrix_mailer_relay_auth_password }}
{% endif %}
SMTP_USERNAME={{ matrix_mailer_relay_auth_username }}
SMTP_PASSWORD={{ matrix_mailer_relay_auth_password }}
{% endif %}

2
roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
View File

@ -9,8 +9,10 @@ ExecStartPre=-/usr/bin/docker kill matrix-mailer
ExecStartPre=-/usr/bin/docker rm matrix-mailer
ExecStart=/usr/bin/docker run --rm --name matrix-mailer \
--log-driver=none \
--user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \
--network={{ matrix_docker_network }} \
--env-file={{ matrix_mailer_base_path }}/env-mailer \
--hostname={{ hostname_matrix }} \
{{ matrix_mailer_docker_image }}
ExecStop=-/usr/bin/docker kill matrix-mailer
ExecStop=-/usr/bin/docker rm matrix-mailer

3
roles/matrix-nginx-proxy/defaults/main.yml
View File

@ -1,5 +1,8 @@
matrix_nginx_proxy_enabled: true
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
# those as more frequently out of date.
matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"

18
roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
View File

@ -21,23 +21,30 @@
- "{{ matrix_nginx_proxy_data_path }}"
- "{{ matrix_nginx_proxy_confd_path }}"
- name: Ensure Matrix nginx-proxy configured (main config override)
template:
src: "{{ role_path }}/templates/nginx/nginx.conf.j2"
dest: "{{ matrix_nginx_proxy_data_path }}/nginx.conf"
mode: 0644
when: "matrix_nginx_proxy_enabled"
- name: Ensure Matrix nginx-proxy configured (generic)
template:
src: "{{ role_path }}/templates/nginx-conf.d/nginx-http.conf.j2"
src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf"
mode: 0644
when: "matrix_nginx_proxy_enabled"
- name: Ensure Matrix nginx-proxy configuration for matrix domain exists
template:
src: "{{ role_path }}/templates/nginx-conf.d/matrix-synapse.conf.j2"
src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
mode: 0644
when: "matrix_nginx_proxy_proxy_matrix_enabled"
- name: Ensure Matrix nginx-proxy configuration for riot domain exists
template:
src: "{{ role_path }}/templates/nginx-conf.d/matrix-riot-web.conf.j2"
src: "{{ role_path }}/templates/nginx/conf.d/matrix-riot-web.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
mode: 0644
when: "matrix_nginx_proxy_proxy_riot_enabled"
@ -104,3 +111,8 @@
state: absent
when: "not matrix_nginx_proxy_proxy_riot_enabled"
- name: Ensure Matrix nginx-proxy configuration for main config override deleted
file:
path: "{{ matrix_nginx_proxy_data_path }}/nginx.conf"
state: absent
when: "not matrix_nginx_proxy_enabled"

1
roles/matrix-nginx-proxy/tasks/ssl/main.yml
View File

@ -15,6 +15,7 @@
mode: 0770
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
recurse: true
with_items:
- "{{ matrix_ssl_log_dir_path }}"
- "{{ matrix_ssl_config_dir_path }}"

10
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
View File

@ -19,12 +19,15 @@
/usr/bin/docker run
--rm
--name=matrix-certbot
--net=host
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-p 80:8080
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
{{ matrix_ssl_lets_encrypt_certbot_docker_image }}
certonly
--non-interactive
--work-dir=/tmp
--http-01-port 8080
{% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
--standalone
--preferred-challenges http
@ -42,13 +45,16 @@
/usr/bin/docker run
--rm
--name=matrix-certbot
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:80
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
--network={{ matrix_docker_network }}
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
{{ matrix_ssl_lets_encrypt_certbot_docker_image }}
certonly
--non-interactive
--work-dir=/tmp
--http-01-port 8080
{% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
--standalone
--preferred-challenges http

10
roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 → roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
View File

@ -1,5 +1,5 @@
server {
listen 80;
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
server_tokens off;
@ -8,7 +8,7 @@ server {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-certbot:80";
set $backend "matrix-certbot:8080";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
@ -22,8 +22,8 @@ server {
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
@ -43,7 +43,7 @@ server {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-riot-web:80";
set $backend "matrix-riot-web:8080";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}

8
roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 → roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
View File

@ -1,5 +1,5 @@
server {
listen 80;
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
server_tokens off;
@ -8,7 +8,7 @@ server {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-certbot:80";
set $backend "matrix-certbot:8080";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
@ -22,8 +22,8 @@ server {
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

0
roles/matrix-nginx-proxy/templates/nginx-conf.d/nginx-http.conf.j2 → roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2
View File

45
roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 Normal file
View File

@ -0,0 +1,45 @@
# This is a custom nginx configuration file that we use in the container (instead of the default one),
# because it allows us to run nginx with a non-root user.
#
# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
#
# The following changes have been done compared to a default nginx configuration file:
# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
# - the `user` directive was removed, as we don't want nginx to switch users
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}

6
roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
View File

@ -14,9 +14,11 @@ ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy
ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy
ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--network={{ matrix_docker_network }} \
-p 80:80 \
-p 443:443 \
-p 80:8080 \
-p 443:8443 \
-v {{ matrix_nginx_proxy_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \
-v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \
-v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \
-v {{ matrix_static_files_base_path }}:{{ matrix_static_files_base_path }}:ro \

7
roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
View File

@ -3,19 +3,22 @@
# For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled)
# need to forward requests for `/.well-known/acme-challenge` to the certbot container.
#
# This can happen inside the container network by proxying to `http://matrix-certbot:80`
# This can happen inside the container network by proxying to `http://matrix-certbot:8080`
# or outside (on the host) by proxying to `http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`.
docker run \
--rm \
--name=matrix-certbot \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--network="{{ matrix_docker_network }}" \
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:80 \
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt \
{{ matrix_ssl_lets_encrypt_certbot_docker_image }} \
renew \
--non-interactive \
--work-dir=/tmp \
--http-01-port 8080
{% if matrix_ssl_lets_encrypt_staging %}
--staging \
{% endif %}

5
roles/matrix-postgres/tasks/import_postgres.yml
View File

@ -60,12 +60,13 @@
set_fact:
matrix_postgres_import_command: >-
/usr/bin/docker run --rm --name matrix-postgres-import
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--network={{ matrix_docker_network }}
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql
-v {{ server_path_postgres_dump }}:{{ server_path_postgres_dump }}:ro
-v {{ server_path_postgres_dump }}:/{{ server_path_postgres_dump|basename }}:ro
--entrypoint=/bin/sh
{{ matrix_postgres_docker_image_latest }}
-c 'cat {{ server_path_postgres_dump }} |
-c 'cat /{{ server_path_postgres_dump|basename }} |
{{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }}
psql -v ON_ERROR_STOP=1 -h matrix-postgres'

2
roles/matrix-postgres/tasks/upgrade_postgres.yml
View File

@ -70,6 +70,7 @@
- name: Perform Postgres database dump
command: |
/usr/bin/docker run --rm --name matrix-postgres-dump \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--network={{ matrix_docker_network }} \
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
-v {{ postgres_dump_dir }}:/out \
@ -104,6 +105,7 @@
- name: Perform Postgres database import
command: |
/usr/bin/docker run --rm --name matrix-postgres-import \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--network={{ matrix_docker_network }} \
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
-v {{ postgres_dump_dir }}:/in:ro \

1
roles/matrix-riot-web/tasks/setup_riot_web.yml
View File

@ -27,6 +27,7 @@
group: "{{ matrix_user_username }}"
with_items:
- {src: "{{ role_path }}/templates/config.json.j2", name: "config.json"}
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
- {src: "{{ matrix_riot_web_homepage_template }}", name: "home.html"}
when: matrix_riot_web_enabled

60
roles/matrix-riot-web/templates/nginx.conf.j2 Normal file
View File

@ -0,0 +1,60 @@
# This is a custom nginx configuration file that we use in the container (instead of the default one),
# because it allows us to run nginx with a non-root user.
#
# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
#
# The following changes have been done compared to a default nginx configuration file:
# - default server port is changed (80 -> 8080), so that a non-root user can bind it
# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
# - the `user` directive was removed, as we don't want nginx to switch users
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server {
listen 8080;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}

5
roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2
View File

@ -11,11 +11,14 @@ ExecStartPre=-/usr/bin/docker kill matrix-riot-web
ExecStartPre=-/usr/bin/docker rm matrix-riot-web
ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \
-v /dev/null:/etc/nginx/conf.d/default.conf:ro \
-v {{ matrix_riot_web_data_path }}/config.json:/etc/riot-web/config.json:ro \
-v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \
--network={{ matrix_docker_network }} \
{% if matrix_riot_web_container_expose_port %}
-p 127.0.0.1:8765:80 \
-p 127.0.0.1:8765:8080 \
{% endif %}
{{ matrix_riot_web_docker_image }}
ExecStop=-/usr/bin/docker kill matrix-riot-web

112
roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml
View File

@ -41,69 +41,69 @@
shell: /usr/bin/docker run --rm --name matrix-mautrix-telegram-gen -v {{ matrix_mautrix_telegram_base_path }}:/data:z {{ matrix_mautrix_telegram_docker_image }} python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml
when: "matrix_mautrix_telegram_enabled and mautrix_telegram_registration_file.stat.exists == False"
- set_fact:
matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml'
# - set_fact:
# matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml'
- set_fact:
matrix_synapse_container_additional_volumes: >
{{ matrix_synapse_container_additional_volumes }}
+
{{ [{'src': '{{ matrix_mautrix_telegram_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_telegram }}', 'options': 'ro'}] }}
when: "matrix_mautrix_telegram_enabled"
# - set_fact:
# matrix_synapse_container_additional_volumes: >
# {{ matrix_synapse_container_additional_volumes }}
# +
# {{ [{'src': '{{ matrix_mautrix_telegram_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_telegram }}', 'options': 'ro'}] }}
# when: "matrix_mautrix_telegram_enabled"
- set_fact:
matrix_synapse_app_service_config_files: >
{{ matrix_synapse_app_service_config_files }}
+
{{ ["{{ matrix_synapse_app_service_config_file_mautrix_telegram }}"] | to_nice_json }}
when: "matrix_mautrix_telegram_enabled"
# - set_fact:
# matrix_synapse_app_service_config_files: >
# {{ matrix_synapse_app_service_config_files }}
# +
# {{ ["{{ matrix_synapse_app_service_config_file_mautrix_telegram }}"] | to_nice_json }}
# when: "matrix_mautrix_telegram_enabled"
- block:
- name: Fail if matrix-nginx-proxy role already executed
fail:
msg: >
Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy,
but it's pointless since the matrix-nginx-proxy role had already executed.
To fix this, please change the order of roles in your plabook,
so that the matrix-nginx-proxy role would run after the matrix-synapse role.
when: "matrix_nginx_proxy_role_executed"
# - block:
# - name: Fail if matrix-nginx-proxy role already executed
# fail:
# msg: >
# Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy,
# but it's pointless since the matrix-nginx-proxy role had already executed.
# To fix this, please change the order of roles in your plabook,
# so that the matrix-nginx-proxy role would run after the matrix-synapse role.
# when: "matrix_nginx_proxy_role_executed"
- name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy
set_fact:
matrix_mautrix_telegram_matrix_nginx_proxy_configuration: |
location {{ matrix_mautrix_telegram_public_endpoint }} {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-mautrix-telegram:8080";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://localhost:8080;
{% endif %}
}
# - name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy
# set_fact:
# matrix_mautrix_telegram_matrix_nginx_proxy_configuration: |
# location {{ matrix_mautrix_telegram_public_endpoint }} {
# {% if matrix_nginx_proxy_enabled %}
# {# Use the embedded DNS resolver in Docker containers to discover the service #}
# resolver 127.0.0.11 valid=5s;
# set $backend "matrix-mautrix-telegram:8080";
# proxy_pass http://$backend;
# {% else %}
# {# Generic configuration for use outside of our container setup #}
# proxy_pass http://localhost:8080;
# {% endif %}
# }
- name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy
set_fact:
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
{{
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks
+
[matrix_mautrix_telegram_matrix_nginx_proxy_configuration]
}}
# - name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy
# set_fact:
# matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
# {{
# matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks
# +
# [matrix_mautrix_telegram_matrix_nginx_proxy_configuration]
# }}
when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled|default(False)"
tags:
- always
# when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled|default(False)"
# tags:
# - always
- name: Warn about reverse-proxying if matrix-nginx-proxy not used
debug:
msg: >
NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy
reverse proxy.
Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}`
URL endpoint to the matrix-mautrix-telegram container.
when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled is not defined"
# - name: Warn about reverse-proxying if matrix-nginx-proxy not used
# debug:
# msg: >
# NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy
# reverse proxy.
# Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}`
# URL endpoint to the matrix-mautrix-telegram container.
# when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled is not defined"
#
# Tasks related to getting rid of matrix-mautrix-telegram (if it was previously enabled)

8
roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
View File

@ -20,11 +20,10 @@ ExecStartPre=/bin/sleep 5
{% endif %}
ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--entrypoint=python \
--network={{ matrix_docker_network }} \
-e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml \
-e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \
-e UID={{ matrix_user_uid }} \
-e GID={{ matrix_user_gid }} \
{% if matrix_synapse_federation_enabled %}
-p 8448:8448 \
{% endif %}
@ -37,7 +36,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
{% for volume in matrix_synapse_container_additional_volumes %}
-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
{% endfor %}
{{ matrix_synapse_docker_image }}
{{ matrix_synapse_docker_image }} \
-m synapse.app.homeserver -c /data/homeserver.yaml
ExecStop=-/usr/bin/docker kill matrix-synapse
ExecStop=-/usr/bin/docker rm matrix-synapse
Restart=always