Start appservice-irc as non-root

roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml

@@ -54,6 +54,8 @@
 - name: Generate matrix-appservice-irc registration.yaml if it doesn't exist
   shell: >-
     /usr/bin/docker run --rm --name matrix-appservice-irc-gen
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
     -v {{ matrix_appservice_irc_base_path }}:/data:z
     {{ matrix_appservice_irc_docker_image }}
     node app.js
@@ -82,6 +84,15 @@
       {{ ["{{ matrix_synapse_app_service_config_file_appservice_irc }}"] | to_nice_json  }}
   when: "matrix_appservice_irc_enabled"
 
+- name: Ensure IRC configuration directory permissions are correct
+  file:
+    path: "{{ matrix_appservice_irc_base_path }}"
+    state: directory
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+    recurse: true
+  when: "matrix_appservice_irc_enabled"
+
 #
 # Tasks related to getting rid of matrix-appservice-irc (if it was previously enabled)
 #