finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make (most) containers start as non-root

Browse Source 
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
This commit is contained in:
Slavi Pantaleev
2019-01-27 20:25:13 +02:00
parent 56d501679d
commit 299a8c4c7c
24 changed files with 265 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
View File

@ -21,23 +21,30 @@
- "{{ matrix_nginx_proxy_data_path }}"
- "{{ matrix_nginx_proxy_confd_path }}"
- name: Ensure Matrix nginx-proxy configured (main config override)
template:
src: "{{ role_path }}/templates/nginx/nginx.conf.j2"
dest: "{{ matrix_nginx_proxy_data_path }}/nginx.conf"
mode: 0644
when: "matrix_nginx_proxy_enabled"
- name: Ensure Matrix nginx-proxy configured (generic)
template:
src: "{{ role_path }}/templates/nginx-conf.d/nginx-http.conf.j2"
src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf"
mode: 0644
when: "matrix_nginx_proxy_enabled"
- name: Ensure Matrix nginx-proxy configuration for matrix domain exists
template:
src: "{{ role_path }}/templates/nginx-conf.d/matrix-synapse.conf.j2"
src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
mode: 0644
when: "matrix_nginx_proxy_proxy_matrix_enabled"
- name: Ensure Matrix nginx-proxy configuration for riot domain exists
template:
src: "{{ role_path }}/templates/nginx-conf.d/matrix-riot-web.conf.j2"
src: "{{ role_path }}/templates/nginx/conf.d/matrix-riot-web.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
mode: 0644
when: "matrix_nginx_proxy_proxy_riot_enabled"
@ -104,3 +111,8 @@
state: absent
when: "not matrix_nginx_proxy_proxy_riot_enabled"
- name: Ensure Matrix nginx-proxy configuration for main config override deleted
file:
path: "{{ matrix_nginx_proxy_data_path }}/nginx.conf"
state: absent
when: "not matrix_nginx_proxy_enabled"