1
0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2024-12-12 08:43:55 +02:00
matrix-docker-ansible-deploy/roles/matrix-nginx-proxy/tasks
Slavi Pantaleev 299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
..
ssl Make (most) containers start as non-root 2019-01-27 20:25:13 +02:00
init.yml Split playbook into multiple roles 2019-01-12 18:01:10 +02:00
main.yml Make matrix-nginx-proxy role independent of others 2019-01-17 13:32:46 +02:00
self_check_well_known.yml Split playbook into multiple roles 2019-01-12 18:01:10 +02:00
setup_nginx_proxy.yml Make (most) containers start as non-root 2019-01-27 20:25:13 +02:00
setup_well_known.yml Split playbook into multiple roles 2019-01-12 18:01:10 +02:00
validate_config.yml Make matrix-nginx-proxy role independent of others 2019-01-17 13:32:46 +02:00