Use an EnvironmentFile for cgimap to better protect passwords
authorTom Hughes <tom@compton.nu>
Tue, 4 Oct 2016 09:36:02 +0000 (10:36 +0100)
committerTom Hughes <tom@compton.nu>
Tue, 4 Oct 2016 09:40:36 +0000 (10:40 +0100)
cookbooks/systemd/resources/service.rb
cookbooks/systemd/templates/default/environment.erb [new file with mode: 0644]
cookbooks/web/recipes/cgimap.rb

index 43d9378..df62481 100644 (file)
@@ -28,7 +28,7 @@ property :type, String,
          :is => %w(simple forking oneshot dbus notify idle)
 property :limit_nofile, Fixnum
 property :environment, Hash, :default => {}
-property :environment_file, String
+property :environment_file, [String, Hash]
 property :user, String
 property :group, String
 property :exec_start_pre, String
@@ -55,13 +55,28 @@ property :timeout_sec, Fixnum
 property :pid_file, String
 
 action :create do
+  service_variables = new_resource.to_hash
+
+  if environment_file.is_a?(Hash)
+    template "/etc/default/#{name}" do
+      cookbook "systemd"
+      source "environment.erb"
+      owner "root"
+      group "root"
+      mode 0o640
+      variables :environment => environment_file
+    end
+
+    service_variables[:environment_file] = "/etc/default/#{name}"
+  end
+
   template "/etc/systemd/system/#{name}.service" do
     cookbook "systemd"
     source "service.erb"
     owner "root"
     group "root"
     mode 0o644
-    variables new_resource.to_hash
+    variables service_variables
   end
 
   execute "systemctl-reload-#{name}.service" do
@@ -74,6 +89,11 @@ action :create do
 end
 
 action :delete do
+  file "/etc/default/#{name}" do
+    action :delete
+    only_if { environment_file.is_a?(Hash) }
+  end
+
   file "/etc/systemd/system/#{name}.service" do
     action :delete
   end
diff --git a/cookbooks/systemd/templates/default/environment.erb b/cookbooks/systemd/templates/default/environment.erb
new file mode 100644 (file)
index 0000000..6de9224
--- /dev/null
@@ -0,0 +1,5 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+<% @environment.each do |name,value| -%>
+<%= name %>="<%= value %>"
+<% end -%>
index 0662843..1a72d03 100644 (file)
@@ -39,16 +39,16 @@ switches = database_readonly ? " --readonly" : ""
 systemd_service "cgimap" do
   description "OpenStreetMap API Server"
   type "forking"
-  environment "CGIMAP_HOST" => database_host,
-              "CGIMAP_DBNAME" => "openstreetmap",
-              "CGIMAP_USERNAME" => "rails",
-              "CGIMAP_PASSWORD" => db_passwords["rails"],
-              "CGIMAP_OAUTH_HOST" => node[:web][:database_host],
-              "CGIMAP_PIDFILE" => "#{node[:web][:pid_directory]}/cgimap.pid",
-              "CGIMAP_LOGFILE" => "#{node[:web][:log_directory]}/cgimap.log",
-              "CGIMAP_MEMCACHE" => memcached_servers.join(","),
-              "CGIMAP_RATELIMIT" => "204800",
-              "CGIMAP_MAXDEBT" => "250"
+  environment_file "CGIMAP_HOST" => database_host,
+                   "CGIMAP_DBNAME" => "openstreetmap",
+                   "CGIMAP_USERNAME" => "rails",
+                   "CGIMAP_PASSWORD" => db_passwords["rails"],
+                   "CGIMAP_OAUTH_HOST" => node[:web][:database_host],
+                   "CGIMAP_PIDFILE" => "#{node[:web][:pid_directory]}/cgimap.pid",
+                   "CGIMAP_LOGFILE" => "#{node[:web][:log_directory]}/cgimap.log",
+                   "CGIMAP_MEMCACHE" => memcached_servers.join(","),
+                   "CGIMAP_RATELIMIT" => "204800",
+                   "CGIMAP_MAXDEBT" => "250"
   user "rails"
   exec_start "/usr/bin/openstreetmap-cgimap --daemon --port 8000 --instances 30#{switches}"
   exec_reload "/bin/kill -HUP $MAINPID"