From dadcad86e0cf7122fe094992455e26443023dac9 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Tue, 4 Oct 2016 10:36:02 +0100 Subject: [PATCH] Use an EnvironmentFile for cgimap to better protect passwords --- cookbooks/systemd/resources/service.rb | 24 +++++++++++++++++-- .../systemd/templates/default/environment.erb | 5 ++++ cookbooks/web/recipes/cgimap.rb | 20 ++++++++-------- 3 files changed, 37 insertions(+), 12 deletions(-) create mode 100644 cookbooks/systemd/templates/default/environment.erb diff --git a/cookbooks/systemd/resources/service.rb b/cookbooks/systemd/resources/service.rb index 43d937853..df62481a5 100644 --- a/cookbooks/systemd/resources/service.rb +++ b/cookbooks/systemd/resources/service.rb @@ -28,7 +28,7 @@ property :type, String, :is => %w(simple forking oneshot dbus notify idle) property :limit_nofile, Fixnum property :environment, Hash, :default => {} -property :environment_file, String +property :environment_file, [String, Hash] property :user, String property :group, String property :exec_start_pre, String @@ -55,13 +55,28 @@ property :timeout_sec, Fixnum property :pid_file, String action :create do + service_variables = new_resource.to_hash + + if environment_file.is_a?(Hash) + template "/etc/default/#{name}" do + cookbook "systemd" + source "environment.erb" + owner "root" + group "root" + mode 0o640 + variables :environment => environment_file + end + + service_variables[:environment_file] = "/etc/default/#{name}" + end + template "/etc/systemd/system/#{name}.service" do cookbook "systemd" source "service.erb" owner "root" group "root" mode 0o644 - variables new_resource.to_hash + variables service_variables end execute "systemctl-reload-#{name}.service" do @@ -74,6 +89,11 @@ action :create do end action :delete do + file "/etc/default/#{name}" do + action :delete + only_if { environment_file.is_a?(Hash) } + end + file "/etc/systemd/system/#{name}.service" do action :delete end diff --git a/cookbooks/systemd/templates/default/environment.erb b/cookbooks/systemd/templates/default/environment.erb new file mode 100644 index 000000000..6de92241f --- /dev/null +++ b/cookbooks/systemd/templates/default/environment.erb @@ -0,0 +1,5 @@ +# DO NOT EDIT - This file is being maintained by Chef + +<% @environment.each do |name,value| -%> +<%= name %>="<%= value %>" +<% end -%> diff --git a/cookbooks/web/recipes/cgimap.rb b/cookbooks/web/recipes/cgimap.rb index 0662843f3..1a72d0363 100644 --- a/cookbooks/web/recipes/cgimap.rb +++ b/cookbooks/web/recipes/cgimap.rb @@ -39,16 +39,16 @@ switches = database_readonly ? " --readonly" : "" systemd_service "cgimap" do description "OpenStreetMap API Server" type "forking" - environment "CGIMAP_HOST" => database_host, - "CGIMAP_DBNAME" => "openstreetmap", - "CGIMAP_USERNAME" => "rails", - "CGIMAP_PASSWORD" => db_passwords["rails"], - "CGIMAP_OAUTH_HOST" => node[:web][:database_host], - "CGIMAP_PIDFILE" => "#{node[:web][:pid_directory]}/cgimap.pid", - "CGIMAP_LOGFILE" => "#{node[:web][:log_directory]}/cgimap.log", - "CGIMAP_MEMCACHE" => memcached_servers.join(","), - "CGIMAP_RATELIMIT" => "204800", - "CGIMAP_MAXDEBT" => "250" + environment_file "CGIMAP_HOST" => database_host, + "CGIMAP_DBNAME" => "openstreetmap", + "CGIMAP_USERNAME" => "rails", + "CGIMAP_PASSWORD" => db_passwords["rails"], + "CGIMAP_OAUTH_HOST" => node[:web][:database_host], + "CGIMAP_PIDFILE" => "#{node[:web][:pid_directory]}/cgimap.pid", + "CGIMAP_LOGFILE" => "#{node[:web][:log_directory]}/cgimap.log", + "CGIMAP_MEMCACHE" => memcached_servers.join(","), + "CGIMAP_RATELIMIT" => "204800", + "CGIMAP_MAXDEBT" => "250" user "rails" exec_start "/usr/bin/openstreetmap-cgimap --daemon --port 8000 --instances 30#{switches}" exec_reload "/bin/kill -HUP $MAINPID" -- 2.39.5