Start appservice-irc as non-root

2019-03-12 13:17:51 -04:00
parent c9e2086f19
commit f6de3fd668
2 changed files with 13 additions and 1 deletions
--- a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml
+++ b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml
@@ -54,6 +54,8 @@
 - name: Generate matrix-appservice-irc registration.yaml if it doesn't exist
  shell: >-
    /usr/bin/docker run --rm --name matrix-appservice-irc-gen
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
    -v {{ matrix_appservice_irc_base_path }}:/data:z
    {{ matrix_appservice_irc_docker_image }}
    node app.js
@@ -82,6 +84,15 @@
      {{ ["{{ matrix_synapse_app_service_config_file_appservice_irc }}"] | to_nice_json  }}
  when: "matrix_appservice_irc_enabled"

+- name: Ensure IRC configuration directory permissions are correct
+  file:
+    path: "{{ matrix_appservice_irc_base_path }}"
+    state: directory
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+    recurse: true
+  when: "matrix_appservice_irc_enabled"
+
 #
 # Tasks related to getting rid of matrix-appservice-irc (if it was previously enabled)
 #
--- a/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2
+++ b/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2
@@ -11,7 +11,8 @@ ExecStartPre=-/usr/bin/docker kill matrix-appservice-irc
 ExecStartPre=-/usr/bin/docker rm matrix-appservice-irc
 ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \
 			--log-driver=none \
-			-e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
 			{% if matrix_appservice_irc_container_expose_client_server_api_port %}
 			-p 127.0.0.1:9999:9999 \