Make (most) containers start as non-root

This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.

roles/matrix-riot-web/tasks/setup_riot_web.yml

@@ -27,6 +27,7 @@
     group: "{{ matrix_user_username }}"
   with_items:
     - {src: "{{ role_path }}/templates/config.json.j2", name: "config.json"}
+    - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
     - {src: "{{ matrix_riot_web_homepage_template }}", name: "home.html"}
   when: matrix_riot_web_enabled
 

roles/matrix-riot-web/templates/nginx.conf.j2

@@ -0,0 +1,60 @@
+# This is a custom nginx configuration file that we use in the container (instead of the default one),
+# because it allows us to run nginx with a non-root user.
+#
+# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
+# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
+#
+# The following changes have been done compared to a default nginx configuration file:
+# - default server port is changed (80 -> 8080), so that a non-root user can bind it
+# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
+# - the `user` directive was removed, as we don't want nginx to switch users
+
+worker_processes 1;
+
+error_log /var/log/nginx/error.log warn;
+pid /tmp/nginx.pid;
+
+
+events {
+	worker_connections 1024;
+}
+
+
+http {
+	proxy_temp_path /tmp/proxy_temp;
+	client_body_temp_path /tmp/client_temp;
+	fastcgi_temp_path /tmp/fastcgi_temp;
+	uwsgi_temp_path /tmp/uwsgi_temp;
+	scgi_temp_path /tmp/scgi_temp;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+					'$status $body_bytes_sent "$http_referer" '
+					'"$http_user_agent" "$http_x_forwarded_for"';
+
+	access_log /var/log/nginx/access.log main;
+
+	sendfile on;
+	#tcp_nopush on;
+
+	keepalive_timeout 65;
+
+	#gzip on;
+
+	server {
+		listen 8080;
+		server_name localhost;
+
+		location / {
+			root /usr/share/nginx/html;
+			index index.html index.htm;
+		}
+
+		error_page 500 502 503 504 /50x.html;
+		location = /50x.html {
+			root /usr/share/nginx/html;
+		}
+	}
+}

roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2

@@ -11,11 +11,14 @@ ExecStartPre=-/usr/bin/docker kill matrix-riot-web
 ExecStartPre=-/usr/bin/docker rm matrix-riot-web
 ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \
 			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			-v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \
+			-v /dev/null:/etc/nginx/conf.d/default.conf:ro \
 			-v {{ matrix_riot_web_data_path }}/config.json:/etc/riot-web/config.json:ro \
 			-v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \
 			--network={{ matrix_docker_network }} \
 			{% if matrix_riot_web_container_expose_port %}
-			-p 127.0.0.1:8765:80 \
+			-p 127.0.0.1:8765:8080 \
 			{% endif %}
 			{{ matrix_riot_web_docker_image }}
 ExecStop=-/usr/bin/docker kill matrix-riot-web