mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2025-01-23 08:24:52 +01:00
Drop capabilities in a few more places
Continuation of 316d653d3e0530
This commit is contained in:
parent
316d653d3e
commit
9438402f61
@ -20,6 +20,7 @@
|
|||||||
--rm
|
--rm
|
||||||
--name=matrix-certbot
|
--name=matrix-certbot
|
||||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||||
|
--cap-drop=ALL \
|
||||||
-p 80:8080
|
-p 80:8080
|
||||||
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
|
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
|
||||||
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
|
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
|
||||||
@ -46,6 +47,7 @@
|
|||||||
--rm
|
--rm
|
||||||
--name=matrix-certbot
|
--name=matrix-certbot
|
||||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||||
|
--cap-drop=ALL \
|
||||||
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
|
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
|
||||||
--network={{ matrix_docker_network }}
|
--network={{ matrix_docker_network }}
|
||||||
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
|
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
|
||||||
|
@ -10,6 +10,7 @@ docker run \
|
|||||||
--rm \
|
--rm \
|
||||||
--name=matrix-certbot \
|
--name=matrix-certbot \
|
||||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||||
|
--cap-drop=ALL \
|
||||||
--network="{{ matrix_docker_network }}" \
|
--network="{{ matrix_docker_network }}" \
|
||||||
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
|
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
|
||||||
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \
|
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \
|
||||||
|
@ -61,6 +61,7 @@
|
|||||||
matrix_postgres_import_command: >-
|
matrix_postgres_import_command: >-
|
||||||
/usr/bin/docker run --rm --name matrix-postgres-import
|
/usr/bin/docker run --rm --name matrix-postgres-import
|
||||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
|
||||||
|
--cap-drop=ALL
|
||||||
--network={{ matrix_docker_network }}
|
--network={{ matrix_docker_network }}
|
||||||
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql
|
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql
|
||||||
-v {{ server_path_postgres_dump }}:/{{ server_path_postgres_dump|basename }}:ro
|
-v {{ server_path_postgres_dump }}:/{{ server_path_postgres_dump|basename }}:ro
|
||||||
|
@ -79,11 +79,12 @@
|
|||||||
detach: no
|
detach: no
|
||||||
cleanup: yes
|
cleanup: yes
|
||||||
entrypoint: /usr/local/bin/python
|
entrypoint: /usr/local/bin/python
|
||||||
command: "/usr/local/bin/synapse_port_db --sqlite-database {{ server_path_homeserver_db }} --postgres-config /data/homeserver.yaml"
|
command: "/usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml"
|
||||||
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
|
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
|
||||||
|
cap_drop: ['all']
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ matrix_synapse_config_dir_path }}:/data"
|
- "{{ matrix_synapse_config_dir_path }}:/data"
|
||||||
- "{{ matrix_synapse_run_path }}:/matrix-run"
|
- "{{ matrix_synapse_run_path }}:/matrix-run"
|
||||||
- "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db }}:ro"
|
- "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro"
|
||||||
networks:
|
networks:
|
||||||
- name: "{{ matrix_docker_network }}"
|
- name: "{{ matrix_docker_network }}"
|
||||||
|
@ -106,6 +106,7 @@
|
|||||||
command: |
|
command: |
|
||||||
/usr/bin/docker run --rm --name matrix-postgres-import \
|
/usr/bin/docker run --rm --name matrix-postgres-import \
|
||||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||||
|
--cap-drop=ALL \
|
||||||
--network={{ matrix_docker_network }} \
|
--network={{ matrix_docker_network }} \
|
||||||
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
|
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
|
||||||
-v {{ postgres_dump_dir }}:/in:ro \
|
-v {{ postgres_dump_dir }}:/in:ro \
|
||||||
|
@ -8,6 +8,8 @@ fi
|
|||||||
docker run \
|
docker run \
|
||||||
-it \
|
-it \
|
||||||
--rm \
|
--rm \
|
||||||
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||||
|
--cap-drop=ALL \
|
||||||
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
|
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
|
||||||
--network {{ matrix_docker_network }} \
|
--network {{ matrix_docker_network }} \
|
||||||
{{ matrix_postgres_docker_image_to_use }} \
|
{{ matrix_postgres_docker_image_to_use }} \
|
||||||
|
@ -3,6 +3,8 @@
|
|||||||
docker run \
|
docker run \
|
||||||
-it \
|
-it \
|
||||||
--rm \
|
--rm \
|
||||||
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||||
|
--cap-drop=ALL \
|
||||||
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
|
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
|
||||||
--network {{ matrix_docker_network }} \
|
--network {{ matrix_docker_network }} \
|
||||||
{{ matrix_postgres_docker_image_to_use }} \
|
{{ matrix_postgres_docker_image_to_use }} \
|
||||||
|
@ -41,6 +41,7 @@
|
|||||||
SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}"
|
SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}"
|
||||||
SYNAPSE_REPORT_STATS: "no"
|
SYNAPSE_REPORT_STATS: "no"
|
||||||
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
|
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
|
||||||
|
cap_drop: ['all']
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ matrix_synapse_config_dir_path }}:/data"
|
- "{{ matrix_synapse_config_dir_path }}:/data"
|
||||||
when: "not matrix_synapse_config_stat.stat.exists"
|
when: "not matrix_synapse_config_stat.stat.exists"
|
||||||
|
Loading…
x
Reference in New Issue
Block a user