mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-11-10 20:57:41 +01:00
299a8c4c7c
This makes all containers (except mautrix-telegram and mautrix-whatsapp), start as a non-root user. We do this, because we don't trust some of the images. In any case, we'd rather not trust ALL images and avoid giving `root` access at all. We can't be sure they would drop privileges or what they might do before they do it. Because Postfix doesn't support running as non-root, it had to be replaced by an Exim mail server. The matrix-nginx-proxy nginx container image is patched up (by replacing its main configuration) so that it can work as non-root. It seems like there's no other good image that we can use and that is up-to-date (https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated). Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/), we patch it up ourselves when starting (replacing the main nginx configuration). Ideally, it would be fixed upstream so we can simplify.
85 lines
2.9 KiB
YAML
85 lines
2.9 KiB
YAML
---
|
|
|
|
# Pre-checks
|
|
|
|
- name: Fail if Postgres not enabled
|
|
fail:
|
|
msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import."
|
|
when: "not matrix_postgres_enabled"
|
|
|
|
- name: Fail if playbook called incorrectly
|
|
fail:
|
|
msg: "The `server_path_postgres_dump` variable needs to be provided to this playbook, via --extra-vars"
|
|
when: "server_path_postgres_dump is not defined or server_path_postgres_dump.startswith('<')"
|
|
|
|
- name: Check if the provided Postgres dump file exists
|
|
stat:
|
|
path: "{{ server_path_postgres_dump }}"
|
|
register: result_server_path_postgres_dump_stat
|
|
|
|
- name: Fail if provided Postgres dump file doesn't exists
|
|
fail:
|
|
msg: "File cannot be found on the server at {{ server_path_postgres_dump }}"
|
|
when: not result_server_path_postgres_dump_stat.stat.exists
|
|
|
|
|
|
# Defaults
|
|
|
|
- name: Set postgres_start_wait_time, if not provided
|
|
set_fact:
|
|
postgres_start_wait_time: 15
|
|
when: "postgres_start_wait_time|default('') == ''"
|
|
|
|
- name: Set postgres_import_wait_time, if not provided
|
|
set_fact:
|
|
postgres_import_wait_time: "{{ 7 * 86400 }}"
|
|
when: "postgres_import_wait_time|default('') == ''"
|
|
|
|
# Actual import work
|
|
|
|
- name: Ensure matrix-postgres is started
|
|
service:
|
|
name: matrix-postgres
|
|
state: started
|
|
daemon_reload: yes
|
|
|
|
- name: Wait a bit, so that Postgres can start
|
|
wait_for:
|
|
timeout: "{{ postgres_start_wait_time }}"
|
|
delegate_to: 127.0.0.1
|
|
become: false
|
|
|
|
- import_tasks: tasks/util/detect_existing_postgres_version.yml
|
|
|
|
- name: Abort, if no existing Postgres version detected
|
|
fail:
|
|
msg: "Could not find existing Postgres installation"
|
|
when: "not matrix_postgres_detected_existing"
|
|
|
|
- name: Generate Postgres database import command
|
|
set_fact:
|
|
matrix_postgres_import_command: >-
|
|
/usr/bin/docker run --rm --name matrix-postgres-import
|
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
|
|
--network={{ matrix_docker_network }}
|
|
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql
|
|
-v {{ server_path_postgres_dump }}:/{{ server_path_postgres_dump|basename }}:ro
|
|
--entrypoint=/bin/sh
|
|
{{ matrix_postgres_docker_image_latest }}
|
|
-c 'cat /{{ server_path_postgres_dump|basename }} |
|
|
{{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }}
|
|
psql -v ON_ERROR_STOP=1 -h matrix-postgres'
|
|
|
|
- name: Note about Postgres importing alternative
|
|
debug:
|
|
msg: >
|
|
Importing Postgres database using the following command: `{{ matrix_postgres_import_command }}`.
|
|
If this crashes, you can stop Postgres (`systemctl stop matrix-postgres`),
|
|
delete its existing data (`rm -rf {{ matrix_postgres_data_path }}/*`), start it again (`systemctl start matrix-postgres`)
|
|
and manually run the above import command directly on the server.
|
|
|
|
- name: Perform Postgres database import
|
|
command: "{{ matrix_postgres_import_command }}"
|
|
async: "{{ postgres_import_wait_time }}"
|
|
poll: 10
|