1
0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2024-12-12 08:43:55 +02:00
matrix-docker-ansible-deploy/roles/matrix-nginx-proxy/tasks/ssl
Slavi Pantaleev 299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
..
main.yml Make (most) containers start as non-root 2019-01-27 20:25:13 +02:00
setup_ssl_lets_encrypt_obtain_for_domain.yml Make (most) containers start as non-root 2019-01-27 20:25:13 +02:00
setup_ssl_lets_encrypt.yml Make roles more independent of one another 2019-01-16 18:05:48 +02:00
setup_ssl_manually_managed_verify_for_domain.yml Split playbook into multiple roles 2019-01-12 18:01:10 +02:00
setup_ssl_manually_managed.yml Make roles more independent of one another 2019-01-16 18:05:48 +02:00
setup_ssl_self_signed_obtain_for_domain.yml Split playbook into multiple roles 2019-01-12 18:01:10 +02:00
setup_ssl_self_signed.yml Make roles more independent of one another 2019-01-16 18:05:48 +02:00