Move synapse-auto-compressor Postgres argument to an environment variable

This provides an additional security benefit. The password won't leak in the process list anymore.
2024-11-10 12:47:39 +01:00 · 2023-03-12 10:17:42 +02:00 · 2023-03-12 10:17:42 +02:00 · 328d0d8a5f
commit 328d0d8a5f
parent 26d5719df4
4 changed files with 29 additions and 8 deletions
--- a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml
+++ b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml
@ -5,18 +5,19 @@

 matrix_synapse_auto_compressor_enabled: true

+matrix_synapse_auto_compressor_version: v0.1.3
+
+matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor"
+matrix_synapse_auto_compressor_container_src_files_path: "{{ matrix_synapse_auto_compressor_base_path }}/container-src"
+
 matrix_synapse_auto_compressor_container_image_self_build: false
 matrix_synapse_auto_compressor_container_repo: "https://gitlab.com/etke.cc/rust-synapse-compress-state.git"
 matrix_synapse_auto_compressor_container_repo_version: "{{ 'main' if matrix_synapse_auto_compressor_version == 'latest' else matrix_synapse_auto_compressor_version }}"
-matrix_synapse_auto_compressor_container_src_files_path: "{{ matrix_synapse_auto_compressor_base_path }}"

-matrix_synapse_auto_compressor_version: v0.1.3
 matrix_synapse_auto_compressor_container_image: "{{ matrix_synapse_auto_compressor_container_image_name_prefix }}etke.cc/rust-synapse-compress-state:{{ matrix_synapse_auto_compressor_version }}"
 matrix_synapse_auto_compressor_container_image_name_prefix: "{{ 'localhost/' if matrix_synapse_auto_compressor_container_image_self_build else 'registry.gitlab.com/' }}"
 matrix_synapse_auto_compressor_container_image_force_pull: "{{ matrix_synapse_auto_compressor_container_image.endswith(':latest') }}"

-matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor"
-
 # The base container network. It will be auto-created by this role if it doesn't exist already.
 matrix_synapse_auto_compressor_container_network: matrix-synapse-auto-compressor

@ -57,4 +58,7 @@ matrix_synapse_auto_compressor_chunk_size: 500
 # The higher this number is set to, the longer the compressor will run for.
 matrix_synapse_auto_compressor_chunks_to_compress: 100

-matrix_synapse_auto_compressor_command: "synapse_auto_compressor -p {{ matrix_synapse_auto_compressor_synapse_database }} -c {{ matrix_synapse_auto_compressor_chunk_size }} -n {{ matrix_synapse_auto_compressor_chunks_to_compress }}"
+matrix_synapse_auto_compressor_command: "synapse_auto_compressor -p $POSTGRES_LOCATION -c {{ matrix_synapse_auto_compressor_chunk_size }} -n {{ matrix_synapse_auto_compressor_chunks_to_compress }}"
+
+# Controls the POSTGRES_LOCATION environment variable
+matrix_synapse_auto_compressor_environment_variable_postgres_location: "{{ matrix_synapse_auto_compressor_synapse_database }}"
--- a/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml
+++ b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml
@ -1,12 +1,26 @@
 ---
+
 - name: Ensure synapse-auto-compressor paths exist
  ansible.builtin.file:
-    path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}"
+    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
-  when: matrix_synapse_auto_compressor_container_image_self_build | bool
+  when: item.when | bool
+  with_items:
+    - path: "{{ matrix_synapse_auto_compressor_base_path }}"
+      when: true
+    - path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}"
+      when: "{{ matrix_synapse_auto_compressor_container_image_self_build }}"
+
+- name: Ensure synapse-auto-compressor labels installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/env.j2"
+    dest: "{{ matrix_synapse_auto_compressor_base_path }}/env"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure synapse-auto-compressor image is pulled
  community.docker.docker_image:
--- a/roles/custom/matrix-synapse-auto-compressor/templates/env.j2
+++ b/roles/custom/matrix-synapse-auto-compressor/templates/env.j2
@ -0,0 +1 @@
+POSTGRES_LOCATION={{ matrix_synapse_auto_compressor_environment_variable_postgres_location }}
--- a/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2
+++ b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2
@ -24,11 +24,13 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--read-only \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--network={{ matrix_synapse_auto_compressor_container_network }} \
+			--env-file={{ matrix_synapse_auto_compressor_base_path }}/env \
+			--entrypoint=/bin/sh \
 			{% for arg in matrix_synapse_auto_compressor_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_synapse_auto_compressor_container_image }} \
-			{{ matrix_synapse_auto_compressor_command }}
+			-c '{{ matrix_synapse_auto_compressor_command }}'

 {% for network in matrix_synapse_auto_compressor_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-auto-compressor
				`@ -0,0 +1 @@`
				`POSTGRES_LOCATION={{ matrix_synapse_auto_compressor_environment_variable_postgres_location }}`