299a8c4c7c
This makes all containers (except mautrix-telegram and mautrix-whatsapp), start as a non-root user. We do this, because we don't trust some of the images. In any case, we'd rather not trust ALL images and avoid giving `root` access at all. We can't be sure they would drop privileges or what they might do before they do it. Because Postfix doesn't support running as non-root, it had to be replaced by an Exim mail server. The matrix-nginx-proxy nginx container image is patched up (by replacing its main configuration) so that it can work as non-root. It seems like there's no other good image that we can use and that is up-to-date (https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated). Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/), we patch it up ourselves when starting (replacing the main nginx configuration). Ideally, it would be fixed upstream so we can simplify.
117 lines
4.8 KiB
YAML
117 lines
4.8 KiB
YAML
---
|
|
|
|
- name: Ensure Mautrix Telegram image is pulled
|
|
docker_image:
|
|
name: "{{ matrix_mautrix_telegram_docker_image }}"
|
|
when: "matrix_mautrix_telegram_enabled"
|
|
|
|
- name: Ensure Mautrix Telegram configuration path exists
|
|
file:
|
|
path: "{{ matrix_mautrix_telegram_base_path }}"
|
|
state: directory
|
|
mode: 0750
|
|
owner: "{{ matrix_user_username }}"
|
|
group: "{{ matrix_user_username }}"
|
|
when: "matrix_mautrix_telegram_enabled"
|
|
|
|
- stat: "path={{ matrix_mautrix_telegram_base_path }}/config.yaml"
|
|
register: mautrix_config_file
|
|
|
|
- name: Ensure Matrix Mautrix telegram config installed
|
|
template:
|
|
src: "{{ role_path }}/templates/ext/mautrix-telegram/config.yaml.j2"
|
|
dest: "{{ matrix_mautrix_telegram_base_path }}/config.yaml"
|
|
mode: 0644
|
|
owner: "{{ matrix_user_username }}"
|
|
group: "{{ matrix_user_username }}"
|
|
when: "matrix_mautrix_telegram_enabled and mautrix_config_file.stat.exists == False"
|
|
|
|
- name: Ensure matrix-mautrix-telegram.service installed
|
|
template:
|
|
src: "{{ role_path }}/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2"
|
|
dest: "/etc/systemd/system/matrix-mautrix-telegram.service"
|
|
mode: 0644
|
|
when: "matrix_mautrix_telegram_enabled"
|
|
|
|
- stat:
|
|
path: "{{ matrix_mautrix_telegram_base_path }}/registration.yaml"
|
|
register: mautrix_telegram_registration_file
|
|
|
|
- name: Generate matrix-mautrix-telegram registration.yaml if it doesn't exist
|
|
shell: /usr/bin/docker run --rm --name matrix-mautrix-telegram-gen -v {{ matrix_mautrix_telegram_base_path }}:/data:z {{ matrix_mautrix_telegram_docker_image }} python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml
|
|
when: "matrix_mautrix_telegram_enabled and mautrix_telegram_registration_file.stat.exists == False"
|
|
|
|
# - set_fact:
|
|
# matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml'
|
|
|
|
# - set_fact:
|
|
# matrix_synapse_container_additional_volumes: >
|
|
# {{ matrix_synapse_container_additional_volumes }}
|
|
# +
|
|
# {{ [{'src': '{{ matrix_mautrix_telegram_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_telegram }}', 'options': 'ro'}] }}
|
|
# when: "matrix_mautrix_telegram_enabled"
|
|
|
|
# - set_fact:
|
|
# matrix_synapse_app_service_config_files: >
|
|
# {{ matrix_synapse_app_service_config_files }}
|
|
# +
|
|
# {{ ["{{ matrix_synapse_app_service_config_file_mautrix_telegram }}"] | to_nice_json }}
|
|
# when: "matrix_mautrix_telegram_enabled"
|
|
|
|
# - block:
|
|
# - name: Fail if matrix-nginx-proxy role already executed
|
|
# fail:
|
|
# msg: >
|
|
# Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy,
|
|
# but it's pointless since the matrix-nginx-proxy role had already executed.
|
|
# To fix this, please change the order of roles in your plabook,
|
|
# so that the matrix-nginx-proxy role would run after the matrix-synapse role.
|
|
# when: "matrix_nginx_proxy_role_executed"
|
|
|
|
# - name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy
|
|
# set_fact:
|
|
# matrix_mautrix_telegram_matrix_nginx_proxy_configuration: |
|
|
# location {{ matrix_mautrix_telegram_public_endpoint }} {
|
|
# {% if matrix_nginx_proxy_enabled %}
|
|
# {# Use the embedded DNS resolver in Docker containers to discover the service #}
|
|
# resolver 127.0.0.11 valid=5s;
|
|
# set $backend "matrix-mautrix-telegram:8080";
|
|
# proxy_pass http://$backend;
|
|
# {% else %}
|
|
# {# Generic configuration for use outside of our container setup #}
|
|
# proxy_pass http://localhost:8080;
|
|
# {% endif %}
|
|
# }
|
|
|
|
# - name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy
|
|
# set_fact:
|
|
# matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
|
|
# {{
|
|
# matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks
|
|
# +
|
|
# [matrix_mautrix_telegram_matrix_nginx_proxy_configuration]
|
|
# }}
|
|
|
|
# when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled|default(False)"
|
|
# tags:
|
|
# - always
|
|
|
|
# - name: Warn about reverse-proxying if matrix-nginx-proxy not used
|
|
# debug:
|
|
# msg: >
|
|
# NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy
|
|
# reverse proxy.
|
|
# Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}`
|
|
# URL endpoint to the matrix-mautrix-telegram container.
|
|
# when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled is not defined"
|
|
|
|
#
|
|
# Tasks related to getting rid of matrix-mautrix-telegram (if it was previously enabled)
|
|
#
|
|
|
|
- name: Ensure matrix-mautrix-telegram.service doesn't exist
|
|
file:
|
|
path: "/etc/systemd/system/matrix-mautrix-telegram.service"
|
|
state: absent
|
|
when: "not matrix_mautrix_telegram_enabled"
|