Make mautrix-telegram run as non-root and w/o capabilities

2019-01-28 15:40:16 +02:00
parent 3e8a4159e6
commit 8a3f942d93
3 changed files with 43 additions and 11 deletions
--- a/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2
+++ b/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2
@ -26,7 +26,7 @@ appservice:
    # Format examples:
    #   SQLite:   sqlite:///filename.db
    #   Postgres: postgres://username:password@hostname/dbname
-    database: sqlite:///mautrix-telegram.db
+    database: sqlite:////data/mautrix-telegram.db

    # Public part of web server for out-of-Matrix interaction with the bridge.
    # Used for things like login if the user wants to make sure the 2FA password isn't stored in
@ -253,7 +253,7 @@ logging:
        file:
            class: logging.handlers.RotatingFileHandler
            formatter: precise
-            filename: ./mautrix-telegram.log
+            filename: /data/mautrix-telegram.log
            maxBytes: 10485760
            backupCount: 10
        console:
--- a/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2
+++ b/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2
@ -9,12 +9,21 @@ After=matrix-synapse.service
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-mautrix-telegram
 ExecStartPre=-/usr/bin/docker rm matrix-mautrix-telegram
+ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-telegram-db \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			-v {{ matrix_mautrix_telegram_base_path }}:/data:z \
+			{{ matrix_mautrix_telegram_docker_image }} \
+			alembic -x config=/data/config.yaml upgrade head
 ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \
 			--log-driver=none \
-			-e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
 			-v {{ matrix_mautrix_telegram_base_path }}:/data:z \
-			{{ matrix_mautrix_telegram_docker_image }}
+			{{ matrix_mautrix_telegram_docker_image }} \
+			python3 -m mautrix_telegram -c /data/config.yaml
 ExecStop=-/usr/bin/docker kill matrix-mautrix-telegram
 ExecStop=-/usr/bin/docker rm matrix-mautrix-telegram
 Restart=always