playbook modified to be compatible with docker user namspaces

Author: argetlam-coder

group_vars/matrix_servers

@@ -15,6 +15,9 @@
 #                                                                      #
 ########################################################################
 
+matrix_playbook_userns_enabled: false
+matrix_playbook_userns_offset: 0
+
 # Controls whether to install Docker or not
 # Also see `devture_docker_sdk_for_python_installation_enabled`.
 matrix_playbook_docker_installation_enabled: true
@@ -3888,6 +3891,8 @@ exim_relay_base_path: "{{ matrix_base_data_path }}/exim-relay"
 
 exim_relay_uid: "{{ matrix_user_uid }}"
 exim_relay_gid: "{{ matrix_user_gid }}"
+exim_relay_docker_userns_enabled: "{{ matrix_playbook_userns_enabled }}"
+exim_relay_docker_userns_offset: "{{ matrix_playbook_userns_offset }}"
 
 exim_relay_hostname: "{{ matrix_server_fqn_matrix }}"
 
@@ -4097,9 +4102,12 @@ postgres_identifier: matrix-postgres
 postgres_architecture: "{{ matrix_architecture }}"
 
 postgres_base_path: "{{ matrix_base_data_path }}/postgres"
+postgres_passwd_file_path : "{{ matrix_playbook_passwd_file_path }}"
 
 postgres_uid: "{{ matrix_user_uid }}"
 postgres_gid: "{{ matrix_user_gid }}"
+postgres_docker_userns_enabled: "{{ matrix_playbook_userns_enabled }}"
+postgres_docker_userns_offset: "{{ matrix_playbook_userns_offset }}"
 
 postgres_connection_username: matrix
 postgres_db_name: matrix
@@ -4507,6 +4515,8 @@ ntfy_base_path: "{{ matrix_base_data_path }}/ntfy"
 
 ntfy_uid: "{{ matrix_user_uid }}"
 ntfy_gid: "{{ matrix_user_gid }}"
+ntfy_docker_userns_enabled: "{{ matrix_playbook_userns_enabled }}"
+ntfy_docker_userns_offset: "{{ matrix_playbook_userns_offset }}"
 
 ntfy_hostname: "{{ matrix_server_fqn_ntfy }}"
 
@@ -4545,6 +4555,8 @@ valkey_identifier: matrix-valkey
 
 valkey_uid: "{{ matrix_user_uid }}"
 valkey_gid: "{{ matrix_user_gid }}"
+valkey_docker_userns_enabled: "{{ matrix_playbook_userns_enabled }}"
+valkey_docker_userns_offset: "{{ matrix_playbook_userns_offset }}"
 
 valkey_base_path: "{{ matrix_base_data_path }}/valkey"
 
@@ -4798,6 +4810,11 @@ matrix_synapse_enabled: "{{ matrix_homeserver_implementation == 'synapse' }}"
 matrix_synapse_username: "{{ matrix_user_username }}"
 matrix_synapse_uid: "{{ matrix_user_uid }}"
 matrix_synapse_gid: "{{ matrix_user_gid }}"
+matrix_synapse_docker_userns_enabled: "{{ matrix_playbook_userns_enabled }}"
+matrix_synapse_docker_userns_offset: "{{ matrix_playbook_userns_offset }}"
+
+matrix_synapse_passwd_file_path: "{{ matrix_playbook_passwd_file_path }}"
+matrix_synapse_group_file_path: "{{ matrix_playbook_group_file_path }}"
 
 matrix_synapse_federation_enabled: "{{ matrix_homeserver_federation_enabled }}"
 
@@ -6205,6 +6222,8 @@ traefik_base_path: "{{ matrix_base_data_path }}/traefik"
 
 traefik_uid: "{{ matrix_user_uid }}"
 traefik_gid: "{{ matrix_user_gid }}"
+traefik_docker_userns_enabled: "{{ matrix_playbook_userns_enabled }}"
+traefik_docker_userns_offset: "{{ matrix_playbook_userns_offset }}"
 
 # It's common for setups to deal with large file uploads which may take longer than the default readTimeout (60s).
 # This override (for the `web` entrypoint) also cascades to overriding the `web-secure` entrypoint and the `matrix-federation` entrypoint.
@@ -6217,7 +6236,7 @@ traefik_additional_entrypoints_auto: |
     ([matrix_playbook_internal_matrix_client_api_traefik_entrypoint_definition] if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else [])
   }}
 
-traefik_config_providers_docker_endpoint: "{{ container_socket_proxy_endpoint if container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}"
+traefik_config_providers_docker_endpoint: "{{ container_socket_proxy_endpoint if container_socket_proxy_enabled else ('unix:///var/run/docker.sock' if not matrix_playbook_userns_enabled else 'unix:///var/run/docker-userns.sock') }}"
 
 traefik_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else traefik_container_image_registry_prefix_upstream_default }}"
 

roles/custom/matrix-base/defaults/main.yml

@@ -180,6 +180,11 @@ matrix_user_groupname: "matrix"
 # To use a specific user/group ID, override these variables.
 matrix_user_uid: ~
 matrix_user_gid: ~
+matrix_container_user_host_uid: ''
+matrix_container_user_host_gid: ''
+
+matrix_playbook_userns_enabled: false
+matrix_playbook_userns_offset: 0
 
 matrix_base_data_path: "/matrix"
 matrix_base_data_path_mode: "750"

roles/custom/matrix-base/tasks/setup_matrix_user.yml

@@ -23,7 +23,9 @@
     system: true
   register: matrix_user
 
-- name: Initialize matrix_user_uid and matrix_user_gid
+- name: Initialize matrix_user_uid, matrix_user_gid, matrix_container_user_host_uid and matrix_container_user_host_gid
   ansible.builtin.set_fact:
     matrix_user_uid: "{{ matrix_user.uid }}"
     matrix_user_gid: "{{ matrix_group.gid }}"
+    matrix_container_user_host_uid: "{{ matrix_user_uid if not matrix_playbook_userns_enabled else (matrix_user_uid | int + matrix_playbook_userns_offset) | string }}"
+    matrix_container_user_host_gid: "{{ matrix_user_gid if not matrix_playbook_userns_enabled else (matrix_user_gid | int + matrix_playbook_userns_offset) | string }}"

roles/custom/matrix-client-element/tasks/setup_install.yml

@@ -75,19 +75,19 @@
     content: "{{ matrix_client_element_configuration | to_nice_json }}"
     dest: "{{ matrix_client_element_data_path }}/config.json"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_container_user_host_uid }}"
+    group: "{{ matrix_container_user_host_gid }}"
 
 - name: Ensure Element location sharing map style installed
   when: matrix_client_element_location_sharing_enabled | bool
   ansible.builtin.copy:
     content: "{{ matrix_client_element_location_sharing_map_style | to_nice_json }}"
     dest: "{{ matrix_client_element_data_path }}/map_style.json"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_container_user_host_uid }}"
+    group: "{{ matrix_container_user_host_gid }}"
 
-- name: Ensure Element Web config files installed
+- name: Ensure Element Web template files installed
   ansible.builtin.template:
     src: "{{ item.src }}"
     dest: "{{ matrix_client_element_data_path }}/{{ item.name }}"
@@ -97,6 +97,16 @@
   with_items:
     - {src: "{{ role_path }}/templates/labels.j2", name: "labels"}
     - {src: "{{ role_path }}/templates/env.j2", name: "env"}
+  when: "item.src is not none"
+
+- name: Ensure Element Web config files installed
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ matrix_client_element_data_path }}/{{ item.name }}"
+    mode: 0644
+    owner: "{{ matrix_container_user_host_uid }}"
+    group: "{{ matrix_container_user_host_gid }}"
+  with_items:
     - {src: "{{ matrix_client_element_page_template_welcome_path }}", name: "welcome.html"}
     - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
   when: "item.src is not none"

roles/custom/matrix-coturn/tasks/setup_install.yml

@@ -105,8 +105,8 @@
     src: "{{ role_path }}/templates/turnserver.conf.j2"
     dest: "{{ matrix_coturn_config_path }}"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_container_user_host_uid }}"
+    group: "{{ matrix_container_user_host_gid }}"
 
 - name: Ensure coturn network is created in Docker
   when: matrix_coturn_container_network not in ['', 'host']

roles/custom/matrix-static-files/tasks/install.yml

@@ -5,7 +5,7 @@
 
 ---
 
-- name: Ensure matrix-static-files paths exist
+- name: Ensure matrix-static-files base path exist
   ansible.builtin.file:
     path: "{{ item.path }}"
     state: directory
@@ -14,6 +14,16 @@
     group: "{{ matrix_user_groupname }}"
   with_items:
     - {path: "{{ matrix_static_files_base_path }}", when: true}
+  when: "item.when | bool"
+
+- name: Ensure matrix-static-files webserver paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_container_user_host_uid }}"
+    group: "{{ matrix_container_user_host_gid }}"
+  with_items:
     - {path: "{{ matrix_static_files_config_path }}", when: true}
     - {path: "{{ matrix_static_files_public_path }}", when: true}
     - {path: "{{ matrix_static_files_public_well_known_path }}", when: true}

roles/custom/matrix-synapse/defaults/main.yml

@@ -21,6 +21,10 @@ matrix_synapse_version: v1.127.1
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
 matrix_synapse_gid: ''
+matrix_synapse_host_filesystem_uid: ''
+matrix_synapse_host_filesystem_gid: ''
+matrix_synapse_docker_userns_enabled: false
+matrix_synapse_docker_userns_offset: 0
 
 matrix_synapse_container_image_self_build: false
 matrix_synapse_container_image_self_build_repo: "https://github.com/{{ matrix_synapse_github_org_and_repo }}.git"
@@ -133,6 +137,9 @@ matrix_synapse_ext_s3_storage_provider_base_path: "{{ matrix_synapse_base_path }
 matrix_synapse_ext_s3_storage_provider_bin_path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/bin"
 matrix_synapse_ext_s3_storage_provider_data_path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/data"
 
+matrix_synapse_passwd_file_path: ''
+matrix_synapse_group_file_path: ''
+
 matrix_synapse_container_client_api_port: 8008
 
 matrix_synapse_container_federation_api_tls_port: 8448

roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml

@@ -11,8 +11,8 @@
     dest: "{{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py"
     force: true
     mode: 0440
-    owner: "{{ matrix_synapse_uid }}"
-    group: "{{ matrix_synapse_gid }}"
+    owner: "{{ matrix_synapse_host_filesystem_uid }}"
+    group: "{{ matrix_synapse_host_filesystem_gid }}"
   register: result
   retries: "{{ devture_playbook_help_geturl_retries_count }}"
   delay: "{{ devture_playbook_help_geturl_retries_delay }}"

roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml

@@ -20,6 +20,14 @@
   become: true
   become_user: "{{ matrix_synapse_username }}"
 
+- name: Ensure directories and files have the right permissions
+  ansible.builtin.file:
+    path: "{{ matrix_synapse_ext_path }}/mjolnir"
+    state: directory
+    owner: "{{ matrix_synapse_host_filesystem_uid }}"
+    group: "{{ matrix_synapse_host_filesystem_gid }}"
+    recurse: true
+
 - ansible.builtin.set_fact:
     matrix_synapse_modules: >
       {{

roles/custom/matrix-synapse/tasks/ext/rest-auth/setup_install.yml

@@ -18,8 +18,8 @@
     dest: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py"
     force: true
     mode: 0440
-    owner: "{{ matrix_synapse_uid }}"
-    group: "{{ matrix_synapse_gid }}"
+    owner: "{{ matrix_synapse_host_filesystem_uid }}"
+    group: "{{ matrix_synapse_host_filesystem_gid }}"
   register: result
   retries: "{{ devture_playbook_help_geturl_retries_count }}"
   delay: "{{ devture_playbook_help_geturl_retries_delay }}"