finallycoffee/matrix-docker-ansible-deploy
finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make mautrix-whatsapp run as non-root and w/o capabilities

Browse Source
This commit is contained in:
Slavi Pantaleev 2019-01-28 15:55:58 +02:00
parent 8a3f942d93
commit bf10331456
3 changed files with 27 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml
View File

@ -17,7 +17,7 @@
- name: Check if a mautrix-telegram configuration file exists - name: Check if a mautrix-telegram configuration file exists
stat: stat:
path: "{{ matrix_mautrix_telegram_base_path }}/config.yaml" path: "{{ matrix_mautrix_telegram_base_path }}/config.yaml"
register: mautrix_config_file_stat register: mautrix_telegram_config_file_stat
- name: Ensure Matrix Mautrix telegram config installed - name: Ensure Matrix Mautrix telegram config installed
template: template:
@ -26,7 +26,7 @@
mode: 0644 mode: 0644
owner: "{{ matrix_user_username }}" owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}"
when: "matrix_mautrix_telegram_enabled and not mautrix_config_file_stat.stat.exists" when: "matrix_mautrix_telegram_enabled and not mautrix_telegram_config_file_stat.stat.exists"
- name: (Migration) Fix up old configuration - name: (Migration) Fix up old configuration
lineinfile: lineinfile:
@ -37,7 +37,7 @@
with_items: with_items:
- {'regexp': '^(\s+)filename: \./mautrix-telegram.log', 'line': '\1filename: /data/mautrix-telegram.log'} - {'regexp': '^(\s+)filename: \./mautrix-telegram.log', 'line': '\1filename: /data/mautrix-telegram.log'}
- {'regexp': '^(\s+)database:', 'line': '\1database: sqlite:////data/mautrix-telegram.db'} - {'regexp': '^(\s+)database:', 'line': '\1database: sqlite:////data/mautrix-telegram.db'}
when: "matrix_mautrix_telegram_enabled and mautrix_config_file_stat.stat.exists" when: "matrix_mautrix_telegram_enabled and mautrix_telegram_config_file_stat.stat.exists"
- name: Ensure matrix-mautrix-telegram.service installed - name: Ensure matrix-mautrix-telegram.service installed
template: template:

26
roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml
View File

@ -14,8 +14,10 @@
group: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}"
when: "matrix_mautrix_whatsapp_enabled" when: "matrix_mautrix_whatsapp_enabled"
- stat: "path={{ matrix_mautrix_whatsapp_base_path }}/config.yaml" - name: Check if a mautrix-whatsapp configuration file exists
register: mautrix_config_file stat:
path: "{{ matrix_mautrix_whatsapp_base_path }}/config.yaml"
register: mautrix_whatsapp_config_file_stat
- name: Ensure Matrix Mautrix whatsapp config installed - name: Ensure Matrix Mautrix whatsapp config installed
template: template:
@ -24,7 +26,7 @@
mode: 0644 mode: 0644
owner: "{{ matrix_user_username }}" owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}"
when: "matrix_mautrix_whatsapp_enabled and mautrix_config_file.stat.exists == False" when: "matrix_mautrix_whatsapp_enabled and not mautrix_whatsapp_config_file_stat.stat.exists"
- name: Ensure matrix-mautrix-whatsapp.service installed - name: Ensure matrix-mautrix-whatsapp.service installed
template: template:
@ -33,13 +35,23 @@
mode: 0644 mode: 0644
when: "matrix_mautrix_whatsapp_enabled" when: "matrix_mautrix_whatsapp_enabled"
- stat: - name: Check if a mautrix-whatsapp registration file exists
stat:
path: "{{ matrix_mautrix_whatsapp_base_path }}/registration.yaml" path: "{{ matrix_mautrix_whatsapp_base_path }}/registration.yaml"
register: mautrix_whatsapp_registration_file register: mautrix_whatsapp_registration_file_stat
- name: Generate matrix-mautrix-whatsapp registration.yaml if it doesn't exist - name: Generate matrix-mautrix-whatsapp registration.yaml if it doesn't exist
shell: /usr/bin/docker run --rm --name matrix-mautrix-whatsapp-gen -v {{ matrix_mautrix_whatsapp_base_path }}:/data:z {{ matrix_mautrix_whatsapp_docker_image }} /usr/bin/mautrix-whatsapp -g -c /data/config.yaml -r /data/registration.yaml shell:
when: "matrix_mautrix_whatsapp_enabled and mautrix_whatsapp_registration_file.stat.exists == False" cmd: >-
/usr/bin/docker run
--rm
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
--name matrix-mautrix-whatsapp-gen
-v {{ matrix_mautrix_whatsapp_base_path }}:/data:z
{{ matrix_mautrix_whatsapp_docker_image }}
/usr/bin/mautrix-whatsapp -g -c /data/config.yaml -r /data/registration.yaml
when: "matrix_mautrix_whatsapp_enabled and not mautrix_whatsapp_registration_file_stat.stat.exists"
- set_fact: - set_fact:
matrix_synapse_app_service_config_file_mautrix_whatsapp: '/app-registration/mautrix-whatsapp.yml' matrix_synapse_app_service_config_file_mautrix_whatsapp: '/app-registration/mautrix-whatsapp.yml'

7
roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2
View File

@ -11,10 +11,13 @@ ExecStartPre=-/usr/bin/docker kill matrix-mautrix-whatsapp
ExecStartPre=-/usr/bin/docker rm matrix-mautrix-whatsapp ExecStartPre=-/usr/bin/docker rm matrix-mautrix-whatsapp
ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-whatsapp \ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-whatsapp \
--log-driver=none \ --log-driver=none \
-e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
-v {{ matrix_mautrix_whatsapp_base_path }}:/data:z \ -v {{ matrix_mautrix_whatsapp_base_path }}:/data:z \
{{ matrix_mautrix_whatsapp_docker_image }} --workdir=/data \
{{ matrix_mautrix_whatsapp_docker_image }} \
/usr/bin/mautrix-whatsapp
ExecStop=-/usr/bin/docker kill matrix-mautrix-whatsapp ExecStop=-/usr/bin/docker kill matrix-mautrix-whatsapp
ExecStop=-/usr/bin/docker rm matrix-mautrix-whatsapp ExecStop=-/usr/bin/docker rm matrix-mautrix-whatsapp
Restart=always Restart=always