Make (most) containers start as non-root

This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.

roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml

@@ -21,23 +21,30 @@
     - "{{ matrix_nginx_proxy_data_path }}"
     - "{{ matrix_nginx_proxy_confd_path }}"
 
+- name: Ensure Matrix nginx-proxy configured (main config override)
+  template:
+    src: "{{ role_path }}/templates/nginx/nginx.conf.j2"
+    dest: "{{ matrix_nginx_proxy_data_path }}/nginx.conf"
+    mode: 0644
+  when: "matrix_nginx_proxy_enabled"
+
 - name: Ensure Matrix nginx-proxy configured (generic)
   template:
-    src: "{{ role_path }}/templates/nginx-conf.d/nginx-http.conf.j2"
+    src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2"
     dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf"
     mode: 0644
   when: "matrix_nginx_proxy_enabled"
 
 - name: Ensure Matrix nginx-proxy configuration for matrix domain exists
   template:
-    src: "{{ role_path }}/templates/nginx-conf.d/matrix-synapse.conf.j2"
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse.conf.j2"
     dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
     mode: 0644
   when: "matrix_nginx_proxy_proxy_matrix_enabled"
 
 - name: Ensure Matrix nginx-proxy configuration for riot domain exists
   template:
-    src: "{{ role_path }}/templates/nginx-conf.d/matrix-riot-web.conf.j2"
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-riot-web.conf.j2"
     dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
     mode: 0644
   when: "matrix_nginx_proxy_proxy_riot_enabled"
@@ -104,3 +111,8 @@
     state: absent
   when: "not matrix_nginx_proxy_proxy_riot_enabled"
 
+- name: Ensure Matrix nginx-proxy configuration for main config override deleted
+  file:
+    path: "{{ matrix_nginx_proxy_data_path }}/nginx.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_enabled"

roles/matrix-nginx-proxy/tasks/ssl/main.yml

@@ -15,6 +15,7 @@
     mode: 0770
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_username }}"
+    recurse: true
   with_items:
     - "{{ matrix_ssl_log_dir_path }}"
     - "{{ matrix_ssl_config_dir_path }}"

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml

@@ -19,12 +19,15 @@
     /usr/bin/docker run
     --rm
     --name=matrix-certbot
-    --net=host
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    -p 80:8080
     -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
     -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
     {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
     certonly
     --non-interactive
+    --work-dir=/tmp
+    --http-01-port 8080
     {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
     --standalone
     --preferred-challenges http
@@ -42,13 +45,16 @@
     /usr/bin/docker run
     --rm
     --name=matrix-certbot
-    -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:80
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
     --network={{ matrix_docker_network }}
     -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
     -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
     {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
     certonly
     --non-interactive
+    --work-dir=/tmp
+    --http-01-port 8080
     {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
     --standalone
     --preferred-challenges http