mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-12-12 08:43:55 +02:00
299a8c4c7c
This makes all containers (except mautrix-telegram and mautrix-whatsapp), start as a non-root user. We do this, because we don't trust some of the images. In any case, we'd rather not trust ALL images and avoid giving `root` access at all. We can't be sure they would drop privileges or what they might do before they do it. Because Postfix doesn't support running as non-root, it had to be replaced by an Exim mail server. The matrix-nginx-proxy nginx container image is patched up (by replacing its main configuration) so that it can work as non-root. It seems like there's no other good image that we can use and that is up-to-date (https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated). Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/), we patch it up ourselves when starting (replacing the main nginx configuration). Ideally, it would be fixed upstream so we can simplify.
127 lines
4.6 KiB
YAML
127 lines
4.6 KiB
YAML
---
|
|
|
|
- name: Set default postgres_dump_dir, if not provided
|
|
set_fact:
|
|
postgres_dump_dir: "/tmp"
|
|
when: "postgres_dump_dir|default('') == ''"
|
|
|
|
- name: Set postgres_dump_name, if not provided
|
|
set_fact:
|
|
postgres_dump_name: "matrix-postgres.out"
|
|
when: "postgres_dump_name|default('') == ''"
|
|
|
|
- name: Set postgres_auto_upgrade_backup_data_path, if not provided
|
|
set_fact:
|
|
postgres_auto_upgrade_backup_data_path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup"
|
|
when: "postgres_auto_upgrade_backup_data_path|default('') == ''"
|
|
|
|
- name: Set postgres_start_wait_time, if not provided
|
|
set_fact:
|
|
postgres_start_wait_time: 15
|
|
when: "postgres_start_wait_time|default('') == ''"
|
|
|
|
- name: Fail, if trying to upgrade external Postgres database
|
|
fail:
|
|
msg: "Your configuration indicates that you're not using Postgres from this role. There is nothing to upgrade."
|
|
when: "not matrix_postgres_enabled"
|
|
|
|
- name: Check Postgres auto-upgrade backup data directory
|
|
stat:
|
|
path: "{{ postgres_auto_upgrade_backup_data_path }}"
|
|
register: result_auto_upgrade_path
|
|
|
|
- name: Abort, if existing Postgres auto-upgrade data path detected
|
|
fail:
|
|
msg: "Detected that a left-over {{ postgres_auto_upgrade_backup_data_path }} exists. You should rename it to {{ matrix_postgres_data_path }} if the previous upgrade went wrong, or delete it if it went well."
|
|
when: "result_auto_upgrade_path.stat.exists"
|
|
|
|
- import_tasks: tasks/util/detect_existing_postgres_version.yml
|
|
|
|
- name: Abort, if no existing Postgres version detected
|
|
fail:
|
|
msg: "Could not find existing Postgres installation"
|
|
when: "not matrix_postgres_detected_existing"
|
|
|
|
- name: Abort, if already at latest Postgres version
|
|
fail:
|
|
msg: "You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do"
|
|
when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest"
|
|
|
|
- debug:
|
|
msg: "Upgrading database from {{ matrix_postgres_detected_version_corresponding_docker_image }} to {{ matrix_postgres_docker_image_latest }}"
|
|
|
|
- name: Ensure matrix-synapse is stopped
|
|
service:
|
|
name: matrix-synapse
|
|
state: stopped
|
|
|
|
- name: Ensure matrix-postgres is started
|
|
service:
|
|
name: matrix-postgres
|
|
state: started
|
|
daemon_reload: yes
|
|
|
|
- name: Wait a bit, so that Postgres can start
|
|
wait_for:
|
|
timeout: "{{ postgres_start_wait_time }}"
|
|
delegate_to: 127.0.0.1
|
|
become: false
|
|
|
|
- name: Perform Postgres database dump
|
|
command: |
|
|
/usr/bin/docker run --rm --name matrix-postgres-dump \
|
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
|
--network={{ matrix_docker_network }} \
|
|
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
|
|
-v {{ postgres_dump_dir }}:/out \
|
|
{{ matrix_postgres_detected_version_corresponding_docker_image }} pg_dump -h matrix-postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }}
|
|
|
|
- name: Ensure matrix-postgres is stopped
|
|
service:
|
|
name: matrix-postgres
|
|
state: stopped
|
|
|
|
- name: Rename existing Postgres data directory
|
|
command: "mv {{ matrix_postgres_data_path }} {{ postgres_auto_upgrade_backup_data_path }}"
|
|
|
|
- debug:
|
|
msg: "NOTE: Your Postgres data directory has been moved from `{{ matrix_postgres_data_path }}` to `{{ postgres_auto_upgrade_backup_data_path }}`. In the event of failure, you can move it back and run the playbook with --tags=setup-postgres to restore operation."
|
|
|
|
- import_tasks: tasks/setup_postgres.yml
|
|
|
|
- name: Ensure matrix-postgres autoruns and is restarted
|
|
service:
|
|
name: matrix-postgres
|
|
enabled: yes
|
|
state: restarted
|
|
daemon_reload: yes
|
|
|
|
- name: Wait a bit, so that Postgres can start
|
|
wait_for:
|
|
timeout: "{{ postgres_start_wait_time }}"
|
|
delegate_to: 127.0.0.1
|
|
become: false
|
|
|
|
- name: Perform Postgres database import
|
|
command: |
|
|
/usr/bin/docker run --rm --name matrix-postgres-import \
|
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
|
--network={{ matrix_docker_network }} \
|
|
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
|
|
-v {{ postgres_dump_dir }}:/in:ro \
|
|
{{ matrix_postgres_docker_image_latest }} psql -v ON_ERROR_STOP=1 -h matrix-postgres -f /in/{{ postgres_dump_name }}
|
|
|
|
- name: Delete Postgres database dump file
|
|
file:
|
|
path: "{{ postgres_dump_dir }}/{{ postgres_dump_name }}"
|
|
state: absent
|
|
|
|
- name: Ensure matrix-synapse is started
|
|
service:
|
|
name: matrix-synapse
|
|
state: started
|
|
daemon_reload: yes
|
|
|
|
- debug:
|
|
msg: "NOTE: Your old Postgres data directory is preserved at `{{ postgres_auto_upgrade_backup_data_path }}`. You might want to get rid of it once you've confirmed that all is well."
|