From: Tom Hughes <tom@compton.nu>
Date: Wed, 8 Nov 2023 19:05:47 +0000 (+0000)
Subject: Set SECRET_KEY_BASE for rails job runners
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/d4ccdb8a3b1a970c7def1582372b072eeafba51f

Set SECRET_KEY_BASE for rails job runners
---

diff --git a/cookbooks/dev/recipes/default.rb b/cookbooks/dev/recipes/default.rb
index 472377043..3a708a018 100644
--- a/cookbooks/dev/recipes/default.rb
+++ b/cookbooks/dev/recipes/default.rb
@@ -298,7 +298,7 @@ if node[:postgresql][:clusters][:"15/main"]
   systemd_service "rails-jobs@" do
     description "Rails job queue runner"
     type "simple"
-    environment "RAILS_ENV" => "production", "SLEEP_DELAY" => "60"
+    environment_file "/etc/default/rails-%i"
     user "apis"
     working_directory "/srv/%i.apis.dev.openstreetmap.org/rails"
     exec_start "#{node[:ruby][:bundle]} exec rails jobs:work"
@@ -413,6 +413,14 @@ if node[:postgresql][:clusters][:"15/main"]
         notifies :restart, "rails_port[#{site_name}]"
       end
 
+      template "/etc/default/rails-#{name}" do
+        source "rails.environment.erb"
+        owner "root"
+        group "root"
+        mode "0600"
+        variables :secret_key_base => secret_key_base
+      end
+
       service "rails-jobs@#{name}" do
         action [:enable, :start]
         supports :restart => true
diff --git a/cookbooks/dev/templates/default/rails.environment.erb b/cookbooks/dev/templates/default/rails.environment.erb
new file mode 100644
index 000000000..c8a6ee0c8
--- /dev/null
+++ b/cookbooks/dev/templates/default/rails.environment.erb
@@ -0,0 +1,5 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+RAILS_ENV="production"
+SLEEP_DELAY="60"
+SECRET_KEY_BASE="<%= @secret_key_base %>"
diff --git a/cookbooks/web/recipes/rails.rb b/cookbooks/web/recipes/rails.rb
index c5130a91a..fd3d59f2d 100644
--- a/cookbooks/web/recipes/rails.rb
+++ b/cookbooks/web/recipes/rails.rb
@@ -165,7 +165,10 @@ end
 systemd_service "rails-jobs@" do
   description "Rails job queue runner"
   type "simple"
-  environment "RAILS_ENV" => "production", "QUEUE" => "%I", "SLEEP_DELAY" => "60"
+  environment "RAILS_ENV" => "production",
+              "QUEUE" => "%I",
+              "SLEEP_DELAY" => "60",
+              "SECRET_KEY_BASE" => web_passwords["secret_key_base"]
   user "rails"
   working_directory rails_directory
   exec_start "#{node[:ruby][:bundle]} exec rails jobs:work"