From 560ebd0ae6d4fbde7be59b6f374559be0f864787 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Mon, 28 Oct 2024 08:55:51 +0200
Subject: [PATCH] Make /tmp for maubot writable

---
 .../templates/systemd/matrix-bot-maubot.service.j2           | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/roles/custom/matrix-bot-maubot/templates/systemd/matrix-bot-maubot.service.j2 b/roles/custom/matrix-bot-maubot/templates/systemd/matrix-bot-maubot.service.j2
index 4b9f782f7..c54dbd084 100644
--- a/roles/custom/matrix-bot-maubot/templates/systemd/matrix-bot-maubot.service.j2
+++ b/roles/custom/matrix-bot-maubot/templates/systemd/matrix-bot-maubot.service.j2
@@ -16,6 +16,10 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-maubot 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-maubot 2>/dev/null || true'
 
+{#
+	We mount a tmpfs at /tmp, because some maubot plugins may wish to write to it.
+	It makes sense to provide at least some sort of temporary storage.
+#}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--rm \
 			--name=matrix-bot-maubot \
@@ -25,6 +29,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--cap-drop=ALL \
 			--mount type=bind,src={{ matrix_bot_maubot_config_path }},dst=/config,ro \
 			--mount type=bind,src={{ matrix_bot_maubot_data_path }},dst=/data \
+			--tmpfs=/tmp:rw,noexec,nosuid,size=1024m \
 			--label-file={{ matrix_bot_maubot_base_path }}/labels \
 			{% for arg in matrix_bot_maubot_container_extra_arguments %}
 			{{ arg }} \