Drop capabilities in a few more places

Continuation of 316d653d3e

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml

@@ -20,6 +20,7 @@
     --rm
     --name=matrix-certbot
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
     -p 80:8080
     -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
     -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
@@ -46,6 +47,7 @@
     --rm
     --name=matrix-certbot
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
     -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
     --network={{ matrix_docker_network }}
     -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt

roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2

@@ -10,6 +10,7 @@ docker run \
 	--rm \
 	--name=matrix-certbot \
 	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
 	--network="{{ matrix_docker_network }}" \
 	-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
 	-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \

roles/matrix-postgres/tasks/import_postgres.yml

@@ -61,6 +61,7 @@
     matrix_postgres_import_command: >-
       /usr/bin/docker run --rm --name matrix-postgres-import
       --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+      --cap-drop=ALL
       --network={{ matrix_docker_network }}
       --env-file={{ matrix_postgres_base_path }}/env-postgres-psql
       -v {{ server_path_postgres_dump }}:/{{ server_path_postgres_dump|basename }}:ro

roles/matrix-postgres/tasks/import_sqlite_db.yml

@@ -79,11 +79,12 @@
     detach: no
     cleanup: yes
     entrypoint: /usr/local/bin/python
-    command: "/usr/local/bin/synapse_port_db --sqlite-database {{ server_path_homeserver_db }} --postgres-config /data/homeserver.yaml"
+    command: "/usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml"
     user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
+    cap_drop: ['all']
     volumes:
       - "{{ matrix_synapse_config_dir_path }}:/data"
       - "{{ matrix_synapse_run_path }}:/matrix-run"
-      - "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db }}:ro"
+      - "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro"
     networks:
       - name: "{{ matrix_docker_network }}"

roles/matrix-postgres/tasks/upgrade_postgres.yml

@@ -106,6 +106,7 @@
   command: |
     /usr/bin/docker run --rm --name matrix-postgres-import \
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
     --network={{ matrix_docker_network }} \
     --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
     -v {{ postgres_dump_dir }}:/in:ro \

roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2

@@ -8,6 +8,8 @@ fi
 docker run \
 	-it \
 	--rm \
+	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
 	--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
 	--network {{ matrix_docker_network }} \
 	{{ matrix_postgres_docker_image_to_use }} \

roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2

@@ -3,6 +3,8 @@
 docker run \
 	-it \
 	--rm \
+	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
 	--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
 	--network {{ matrix_docker_network }} \
 	{{ matrix_postgres_docker_image_to_use }} \

roles/matrix-synapse/tasks/setup_synapse_main.yml

@@ -41,6 +41,7 @@
       SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}"
       SYNAPSE_REPORT_STATS: "no"
     user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
+    cap_drop: ['all']
     volumes:
       - "{{ matrix_synapse_config_dir_path }}:/data"
   when: "not matrix_synapse_config_stat.stat.exists"