From 328d0d8a5f47c4f4e15d70cb4c796dbd6a957b6b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Mar 2023 10:17:42 +0200 Subject: [PATCH] Move synapse-auto-compressor Postgres argument to an environment variable This provides an additional security benefit. The password won't leak in the process list anymore. --- .../defaults/main.yml | 14 +++++++++----- .../tasks/install.yml | 18 ++++++++++++++++-- .../templates/env.j2 | 1 + .../matrix-synapse-auto-compressor.service.j2 | 4 +++- 4 files changed, 29 insertions(+), 8 deletions(-) create mode 100644 roles/custom/matrix-synapse-auto-compressor/templates/env.j2 diff --git a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml index 0649392d..61194714 100644 --- a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml +++ b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml @@ -5,18 +5,19 @@ matrix_synapse_auto_compressor_enabled: true +matrix_synapse_auto_compressor_version: v0.1.3 + +matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor" +matrix_synapse_auto_compressor_container_src_files_path: "{{ matrix_synapse_auto_compressor_base_path }}/container-src" + matrix_synapse_auto_compressor_container_image_self_build: false matrix_synapse_auto_compressor_container_repo: "https://gitlab.com/etke.cc/rust-synapse-compress-state.git" matrix_synapse_auto_compressor_container_repo_version: "{{ 'main' if matrix_synapse_auto_compressor_version == 'latest' else matrix_synapse_auto_compressor_version }}" -matrix_synapse_auto_compressor_container_src_files_path: "{{ matrix_synapse_auto_compressor_base_path }}" -matrix_synapse_auto_compressor_version: v0.1.3 matrix_synapse_auto_compressor_container_image: "{{ matrix_synapse_auto_compressor_container_image_name_prefix }}etke.cc/rust-synapse-compress-state:{{ matrix_synapse_auto_compressor_version }}" matrix_synapse_auto_compressor_container_image_name_prefix: "{{ 'localhost/' if matrix_synapse_auto_compressor_container_image_self_build else 'registry.gitlab.com/' }}" matrix_synapse_auto_compressor_container_image_force_pull: "{{ matrix_synapse_auto_compressor_container_image.endswith(':latest') }}" -matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor" - # The base container network. It will be auto-created by this role if it doesn't exist already. matrix_synapse_auto_compressor_container_network: matrix-synapse-auto-compressor @@ -57,4 +58,7 @@ matrix_synapse_auto_compressor_chunk_size: 500 # The higher this number is set to, the longer the compressor will run for. matrix_synapse_auto_compressor_chunks_to_compress: 100 -matrix_synapse_auto_compressor_command: "synapse_auto_compressor -p {{ matrix_synapse_auto_compressor_synapse_database }} -c {{ matrix_synapse_auto_compressor_chunk_size }} -n {{ matrix_synapse_auto_compressor_chunks_to_compress }}" +matrix_synapse_auto_compressor_command: "synapse_auto_compressor -p $POSTGRES_LOCATION -c {{ matrix_synapse_auto_compressor_chunk_size }} -n {{ matrix_synapse_auto_compressor_chunks_to_compress }}" + +# Controls the POSTGRES_LOCATION environment variable +matrix_synapse_auto_compressor_environment_variable_postgres_location: "{{ matrix_synapse_auto_compressor_synapse_database }}" diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml index 6f4524bb..494a5678 100644 --- a/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml @@ -1,12 +1,26 @@ --- + - name: Ensure synapse-auto-compressor paths exist ansible.builtin.file: - path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_synapse_auto_compressor_container_image_self_build | bool + when: item.when | bool + with_items: + - path: "{{ matrix_synapse_auto_compressor_base_path }}" + when: true + - path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}" + when: "{{ matrix_synapse_auto_compressor_container_image_self_build }}" + +- name: Ensure synapse-auto-compressor labels installed + ansible.builtin.template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_synapse_auto_compressor_base_path }}/env" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure synapse-auto-compressor image is pulled community.docker.docker_image: diff --git a/roles/custom/matrix-synapse-auto-compressor/templates/env.j2 b/roles/custom/matrix-synapse-auto-compressor/templates/env.j2 new file mode 100644 index 00000000..27fb1dd8 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/templates/env.j2 @@ -0,0 +1 @@ +POSTGRES_LOCATION={{ matrix_synapse_auto_compressor_environment_variable_postgres_location }} diff --git a/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 index e769438d..f530d5b2 100644 --- a/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 +++ b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 @@ -24,11 +24,13 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --read-only \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --network={{ matrix_synapse_auto_compressor_container_network }} \ + --env-file={{ matrix_synapse_auto_compressor_base_path }}/env \ + --entrypoint=/bin/sh \ {% for arg in matrix_synapse_auto_compressor_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_synapse_auto_compressor_container_image }} \ - {{ matrix_synapse_auto_compressor_command }} + -c '{{ matrix_synapse_auto_compressor_command }}' {% for network in matrix_synapse_auto_compressor_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-auto-compressor