Merge pull request #1079 from aaronraimist/hydrogen-fix

Fix hydrogen

roles/matrix-client-hydrogen/tasks/setup.yml

@@ -42,6 +42,17 @@
     group: "{{ matrix_user_groupname }}"
   when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
 
+- name: Ensure Hydrogen additional config files installed
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
+  when: "matrix_client_hydrogen_enabled|bool and item.src is not none"
+
 - name: Ensure Hydrogen Docker image is built
   docker_image:
     name: "{{ matrix_client_hydrogen_docker_image }}"

roles/matrix-client-hydrogen/templates/nginx.conf.j2

@@ -0,0 +1,66 @@
+#jinja2: lstrip_blocks: "True"
+# This is a custom nginx configuration file that we use in the container (instead of the default one),
+# because it allows us to run nginx with a non-root user.
+#
+# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
+# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
+#
+# The following changes have been done compared to a default nginx configuration file:
+# - default server port is changed (80 -> 8080), so that a non-root user can bind it
+# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
+# - the `user` directive was removed, as we don't want nginx to switch users
+
+worker_processes 1;
+
+error_log /var/log/nginx/error.log warn;
+pid /tmp/nginx.pid;
+
+
+events {
+	worker_connections 1024;
+}
+
+
+http {
+	proxy_temp_path /tmp/proxy_temp;
+	client_body_temp_path /tmp/client_temp;
+	fastcgi_temp_path /tmp/fastcgi_temp;
+	uwsgi_temp_path /tmp/uwsgi_temp;
+	scgi_temp_path /tmp/scgi_temp;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+					'$status $body_bytes_sent "$http_referer" '
+					'"$http_user_agent" "$http_x_forwarded_for"';
+
+	access_log /var/log/nginx/access.log main;
+
+	sendfile on;
+	#tcp_nopush on;
+
+	keepalive_timeout 65;
+
+	#gzip on;
+
+	server {
+		listen 8080;
+		server_name localhost;
+
+		root /usr/share/nginx/html;
+
+		location / {
+			index index.html index.htm;
+		}
+
+		location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) {
+			expires -1;
+		}
+
+		error_page 500 502 503 504 /50x.html;
+		location = /50x.html {
+			root /usr/share/nginx/html;
+		}
+	}
+}

roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2

@@ -24,7 +24,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydroge
 			{% endif %}
 			--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
 			--mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
-			--mount type=bind,src={{ matrix_client_hydrogen_data_path }}/config.json,dst=/app/config.json,ro \
 			{% for arg in matrix_client_hydrogen_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}