299a8c4c7c
This makes all containers (except mautrix-telegram and mautrix-whatsapp), start as a non-root user. We do this, because we don't trust some of the images. In any case, we'd rather not trust ALL images and avoid giving `root` access at all. We can't be sure they would drop privileges or what they might do before they do it. Because Postfix doesn't support running as non-root, it had to be replaced by an Exim mail server. The matrix-nginx-proxy nginx container image is patched up (by replacing its main configuration) so that it can work as non-root. It seems like there's no other good image that we can use and that is up-to-date (https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated). Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/), we patch it up ourselves when starting (replacing the main nginx configuration). Ideally, it would be fixed upstream so we can simplify.
30 lines
1.1 KiB
Django/Jinja
30 lines
1.1 KiB
Django/Jinja
#!/bin/bash
|
|
|
|
# For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled)
|
|
# need to forward requests for `/.well-known/acme-challenge` to the certbot container.
|
|
#
|
|
# This can happen inside the container network by proxying to `http://matrix-certbot:8080`
|
|
# or outside (on the host) by proxying to `http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`.
|
|
|
|
docker run \
|
|
--rm \
|
|
--name=matrix-certbot \
|
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
|
--network="{{ matrix_docker_network }}" \
|
|
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
|
|
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \
|
|
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt \
|
|
{{ matrix_ssl_lets_encrypt_certbot_docker_image }} \
|
|
renew \
|
|
--non-interactive \
|
|
--work-dir=/tmp \
|
|
--http-01-port 8080
|
|
{% if matrix_ssl_lets_encrypt_staging %}
|
|
--staging \
|
|
{% endif %}
|
|
--quiet \
|
|
--standalone \
|
|
--preferred-challenges http \
|
|
--agree-tos \
|
|
--email={{ matrix_ssl_lets_encrypt_support_email }}
|