Use an EnvironmentFile for cgimap to better protect passwords

diff --git a/cookbooks/systemd/resources/service.rb b/cookbooks/systemd/resources/service.rb
index 43d93785330cc01cbf9137edc337217cdf523945..df62481a5c5a16607dad51318a3d5b5b99134748 100644 (file)
--- a/cookbooks/systemd/resources/service.rb
+++ b/cookbooks/systemd/resources/service.rb
@@ -28,7 +28,7 @@ property :type, String,
          :is => %w(simple forking oneshot dbus notify idle)
 property :limit_nofile, Fixnum
 property :environment, Hash, :default => {}
-property :environment_file, String
+property :environment_file, [String, Hash]
 property :user, String
 property :group, String
 property :exec_start_pre, String
@@ -55,13 +55,28 @@ property :timeout_sec, Fixnum
 property :pid_file, String
 
 action :create do
+  service_variables = new_resource.to_hash
+
+  if environment_file.is_a?(Hash)
+    template "/etc/default/#{name}" do
+      cookbook "systemd"
+      source "environment.erb"
+      owner "root"
+      group "root"
+      mode 0o640
+      variables :environment => environment_file
+    end
+
+    service_variables[:environment_file] = "/etc/default/#{name}"
+  end
+
   template "/etc/systemd/system/#{name}.service" do
     cookbook "systemd"
     source "service.erb"
     owner "root"
     group "root"
     mode 0o644
-    variables new_resource.to_hash
+    variables service_variables
   end
 
   execute "systemctl-reload-#{name}.service" do
@@ -74,6 +89,11 @@ action :create do
 end
 
 action :delete do
+  file "/etc/default/#{name}" do
+    action :delete
+    only_if { environment_file.is_a?(Hash) }
+  end
+
   file "/etc/systemd/system/#{name}.service" do
     action :delete
   end

diff --git a/cookbooks/systemd/templates/default/environment.erb b/cookbooks/systemd/templates/default/environment.erb
new file mode 100644 (file)
index 0000000..6de9224
--- /dev/null
+++ b/cookbooks/systemd/templates/default/environment.erb
@@ -0,0 +1,5 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+<% @environment.each do |name,value| -%>
+<%= name %>="<%= value %>"
+<% end -%>

diff --git a/cookbooks/web/recipes/cgimap.rb b/cookbooks/web/recipes/cgimap.rb
index 0662843f329478ee7436af683df8e5ce6041d2ef..1a72d0363f0020d5f8ab9a55fca5ab9ee8b10917 100644 (file)
--- a/cookbooks/web/recipes/cgimap.rb
+++ b/cookbooks/web/recipes/cgimap.rb
@@ -39,16 +39,16 @@ switches = database_readonly ? " --readonly" : ""
 systemd_service "cgimap" do
   description "OpenStreetMap API Server"
   type "forking"
-  environment "CGIMAP_HOST" => database_host,
-              "CGIMAP_DBNAME" => "openstreetmap",
-              "CGIMAP_USERNAME" => "rails",
-              "CGIMAP_PASSWORD" => db_passwords["rails"],
-              "CGIMAP_OAUTH_HOST" => node[:web][:database_host],
-              "CGIMAP_PIDFILE" => "#{node[:web][:pid_directory]}/cgimap.pid",
-              "CGIMAP_LOGFILE" => "#{node[:web][:log_directory]}/cgimap.log",
-              "CGIMAP_MEMCACHE" => memcached_servers.join(","),
-              "CGIMAP_RATELIMIT" => "204800",
-              "CGIMAP_MAXDEBT" => "250"
+  environment_file "CGIMAP_HOST" => database_host,
+                   "CGIMAP_DBNAME" => "openstreetmap",
+                   "CGIMAP_USERNAME" => "rails",
+                   "CGIMAP_PASSWORD" => db_passwords["rails"],
+                   "CGIMAP_OAUTH_HOST" => node[:web][:database_host],
+                   "CGIMAP_PIDFILE" => "#{node[:web][:pid_directory]}/cgimap.pid",
+                   "CGIMAP_LOGFILE" => "#{node[:web][:log_directory]}/cgimap.log",
+                   "CGIMAP_MEMCACHE" => memcached_servers.join(","),
+                   "CGIMAP_RATELIMIT" => "204800",
+                   "CGIMAP_MAXDEBT" => "250"
   user "rails"
   exec_start "/usr/bin/openstreetmap-cgimap --daemon --port 8000 --instances 30#{switches}"
   exec_reload "/bin/kill -HUP $MAINPID"