From 9224925dad40dabb3cc09cdaf0c5c30ee3bfc818 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Mon, 13 Nov 2023 18:57:13 +0000
Subject: [PATCH] Set SECRET_KEY_BASE when delivering messages from email

---
 cookbooks/web/recipes/frontend.rb                   | 8 ++++++++
 cookbooks/web/templates/default/deliver-message.erb | 6 ++++++
 roles/web-frontend.rb                               | 7 ++-----
 3 files changed, 16 insertions(+), 5 deletions(-)
 create mode 100644 cookbooks/web/templates/default/deliver-message.erb

diff --git a/cookbooks/web/recipes/frontend.rb b/cookbooks/web/recipes/frontend.rb
index 63dabd9c0..f27b029c9 100644
--- a/cookbooks/web/recipes/frontend.rb
+++ b/cookbooks/web/recipes/frontend.rb
@@ -98,3 +98,11 @@ else
     subscribes :restart, "systemd_service[rails-jobs@]"
   end
 end
+
+template "/usr/local/bin/deliver-message" do
+  source "deliver-message.erb"
+  owner "rails"
+  group "rails"
+  mode "0700"
+  variables :secret_key_base => web_passwords["secret_key_base"]
+end
diff --git a/cookbooks/web/templates/default/deliver-message.erb b/cookbooks/web/templates/default/deliver-message.erb
new file mode 100644
index 000000000..76538183b
--- /dev/null
+++ b/cookbooks/web/templates/default/deliver-message.erb
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+export RAILS_ENV="production"
+export SECRET_KEY_BASE="<%= @secret_key_base %>"
+
+exec /usr/local/bin/passenger-ruby /srv/www.openstreetmap.org/rails/script/deliver-message "$@"
diff --git a/roles/web-frontend.rb b/roles/web-frontend.rb
index 264f2a4d2..985811f59 100644
--- a/roles/web-frontend.rb
+++ b/roles/web-frontend.rb
@@ -33,14 +33,11 @@ default_attributes(
       :messages => {
         :comment => "messages.openstreetmap.org",
         :domains => ["messages.openstreetmap.org"],
-        :command => "/usr/local/bin/passenger-ruby /srv/www.openstreetmap.org/rails/script/deliver-message $local_part",
+        :command => "/usr/local/bin/deliver-message $local_part",
         :user => "rails",
         :group => "rails",
         :home_directory => "/srv/www.openstreetmap.org/rails",
-        :path => "/bin:/usr/bin:/usr/local/bin",
-        :environment => {
-          "RAILS_ENV" => "production"
-        }
+        :path => "/bin:/usr/bin:/usr/local/bin"
       }
     }
   }
-- 
2.39.5