finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make mautrix-telegram run as non-root and w/o capabilities

Browse Source
This commit is contained in:
Slavi Pantaleev
2019-01-28 15:40:16 +02:00
parent 3e8a4159e6
commit 8a3f942d93
3 changed files with 43 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2
View File

@ -9,12 +9,21 @@ After=matrix-synapse.service
Type=simple
ExecStartPre=-/usr/bin/docker kill matrix-mautrix-telegram
ExecStartPre=-/usr/bin/docker rm matrix-mautrix-telegram
ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-telegram-db \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
-v {{ matrix_mautrix_telegram_base_path }}:/data:z \
{{ matrix_mautrix_telegram_docker_image }} \
alembic -x config=/data/config.yaml upgrade head
ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \
--log-driver=none \
-e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--network={{ matrix_docker_network }} \
-v {{ matrix_mautrix_telegram_base_path }}:/data:z \
{{ matrix_mautrix_telegram_docker_image }}
{{ matrix_mautrix_telegram_docker_image }} \
python3 -m mautrix_telegram -c /data/config.yaml
ExecStop=-/usr/bin/docker kill matrix-mautrix-telegram
ExecStop=-/usr/bin/docker rm matrix-mautrix-telegram
Restart=always