diff --git a/playbooks/roles/matrix-gerritbot/defaults/main.yaml b/playbooks/roles/matrix-gerritbot/defaults/main.yaml
index b5dec3d032..c349425987 100644
--- a/playbooks/roles/matrix-gerritbot/defaults/main.yaml
+++ b/playbooks/roles/matrix-gerritbot/defaults/main.yaml
@@ -1,3 +1,5 @@
+gerritbot_gid: 11000
+gerritbot_uid: 11000
gerritbot_matrix_version: 4aeeac8
gerritbot_matrix_image: quay.io/software-factory/gerritbot-matrix:{{ gerritbot_matrix_version }}
gerritbot_matrix_prometheus_port: 9001
diff --git a/playbooks/roles/matrix-gerritbot/tasks/main.yaml b/playbooks/roles/matrix-gerritbot/tasks/main.yaml
index f89ca95d9e..237a532ef6 100644
--- a/playbooks/roles/matrix-gerritbot/tasks/main.yaml
+++ b/playbooks/roles/matrix-gerritbot/tasks/main.yaml
@@ -1,7 +1,24 @@
+- name: Create gerritbot group
+ group:
+ name: "gerritbot"
+ gid: "{{ gerritbot_gid }}"
+ system: yes
+- name: Create gerritbot user
+ user:
+ name: "gerritbot"
+ group: "gerritbot"
+ uid: "{{ gerritbot_uid }}"
+ home: "/var/lib/gerritbot"
+ create_home: yes
+ shell: /bin/bash
+ system: yes
+
- name: Ensure bot directories
file:
state: directory
path: '/var/lib/matrix-gerritbot/{{ item }}'
+ owner: gerritbot
+ group: gerritbot
mode: 0700
loop:
- config
@@ -11,6 +28,8 @@
copy:
src: gerritbot.yaml
dest: /var/lib/matrix-gerritbot/config/gerritbot.yaml
+ owner: gerritbot
+ group: gerritbot
register: _gerritbot_config
- name: Lookup the configuration schema
@@ -25,7 +44,7 @@
vars:
config: /var/lib/matrix-gerritbot/config
yaml_to_dhall: >-
- docker run -i -v {{ config }}:{{ config }}
+ docker run --user {{ gerritbot_uid }}:{{ gerritbot_gid }} -i -v {{ config }}:{{ config }}
--rm docker.io/dhallhaskell/dhall-yaml yaml-to-dhall
schema: "List {{ _gerritbot_schema.stdout }}"
@@ -34,17 +53,23 @@
content: "{{ gerritbot_ssh_key }}"
dest: "/var/lib/matrix-gerritbot/ssh/id_{{ gerritbot_ssh_key_format }}"
mode: 0400
+ owner: gerritbot
+ group: gerritbot
no_log: true
- name: Install gerritbot ssh key
copy:
content: "{{ gerritbot_ssh_pubkey }}"
dest: "/var/lib/matrix-gerritbot/ssh/id_{{ gerritbot_ssh_key_format }}.pub"
+ owner: gerritbot
+ group: gerritbot
- name: Install gerritbot known host
copy:
content: "{{ gerritbot_known_hosts }}"
dest: "/var/lib/matrix-gerritbot/ssh/known_hosts"
+ owner: gerritbot
+ group: gerritbot
- name: Ensure /etc/matrix-gerritbot-docker directory
file:
diff --git a/playbooks/roles/matrix-gerritbot/templates/docker-compose.yaml.j2 b/playbooks/roles/matrix-gerritbot/templates/docker-compose.yaml.j2
index 0f0b1d97fa..9148c9d4ae 100644
--- a/playbooks/roles/matrix-gerritbot/templates/docker-compose.yaml.j2
+++ b/playbooks/roles/matrix-gerritbot/templates/docker-compose.yaml.j2
@@ -6,6 +6,7 @@ services:
gerritbot-matrix:
image: {{ gerritbot_matrix_image }}
network_mode: host
+ user: "{{ gerritbot_uid }}:{{ gerritbot_gid }}"
restart: always
logging:
driver: syslog
@@ -15,8 +16,8 @@ services:
MATRIX_TOKEN: {{ gerritbot_matrix_access_token }}
MATRIX_IDENTITY_TOKEN: {{ gerritbot_matrix_identity_token }}
volumes:
- - /var/lib/matrix-gerritbot/config:/config
- - /var/lib/matrix-gerritbot/ssh:/root/.ssh
+ - /var/lib/matrix-gerritbot/config:/config:ro
+ - /var/lib/matrix-gerritbot/ssh:/root/.ssh:ro
healthcheck:
test: "gerritbot-matrix check {{ gerritbot_matrix_prometheus_port }}"
retries: 6