diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9ec81fdbe..5d4fff09d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4723,6 +4723,9 @@ matrix_synapse_admin_enabled: false matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}" +matrix_synapse_admin_container_uid: "{{ matrix_user_uid }}" +matrix_synapse_admin_container_gid: "{{ matrix_user_gid }}" + matrix_synapse_admin_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8766') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 68ab27cd3..4fd8276d4 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -21,11 +21,14 @@ matrix_synapse_admin_base_path: "{{ matrix_base_data_path }}/synapse-admin" matrix_synapse_admin_config_path: "{{ matrix_synapse_admin_base_path }}/config" matrix_synapse_admin_docker_src_files_path: "{{ matrix_synapse_admin_base_path }}/docker-src" +matrix_synapse_admin_container_uid: '' +matrix_synapse_admin_container_gid: '' + matrix_synapse_admin_container_image_self_build: false matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git" # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin -matrix_synapse_admin_version: v0.11.1-etke52 +matrix_synapse_admin_version: v0.11.1-etke53 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_docker_image_registry_prefix_upstream }}" matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}" @@ -40,7 +43,7 @@ matrix_synapse_admin_container_network: matrix-synapse-admin # Use this to expose this container to a reverse proxy, which runs in a different container network. matrix_synapse_admin_container_additional_networks: [] -# Controls whether the matrix-synapse-admin container exposes its HTTP port (tcp/80 in the container). +# Controls whether the matrix-synapse-admin container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8766"), or empty string to not expose. matrix_synapse_admin_container_http_host_bind_port: '' diff --git a/roles/custom/matrix-synapse-admin/templates/labels.j2 b/roles/custom/matrix-synapse-admin/templates/labels.j2 index bab69cec3..e030d49ca 100644 --- a/roles/custom/matrix-synapse-admin/templates/labels.j2 +++ b/roles/custom/matrix-synapse-admin/templates/labels.j2 @@ -12,7 +12,7 @@ traefik.enable=true traefik.docker.network={{ matrix_synapse_admin_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80 +traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=8080 {% set middlewares = [] %} diff --git a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index 76ba438ac..8aa724c1d 100644 --- a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -21,16 +21,14 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --name=matrix-synapse-admin \ --log-driver=none \ --cap-drop=ALL \ - --cap-add=CHOWN \ - --cap-add=NET_BIND_SERVICE \ - --cap-add=SETUID \ - --cap-add=SETGID \ + --read-only \ + --user={{ matrix_synapse_admin_container_user_uid }}:{{ matrix_synapse_admin_container_user_gid }} \ --network={{ matrix_synapse_admin_container_network }} \ {% if matrix_synapse_admin_container_http_host_bind_port %} - -p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \ + -p {{ matrix_synapse_admin_container_http_host_bind_port }}:8080 \ {% endif %} --label-file={{ matrix_synapse_admin_base_path }}/labels \ - --mount type=bind,src={{ matrix_synapse_admin_config_path }}/config.json,dst=/app/config.json,ro \ + --mount type=bind,src={{ matrix_synapse_admin_config_path }}/config.json,dst=/var/public/config.json,ro \ {% for arg in matrix_synapse_admin_container_extra_arguments %} {{ arg }} \ {% endfor %}