Move synapse-auto-compressor Postgres argument to an environment variable

This provides an additional security benefit. The password won't leak in the process list anymore.
3 лет назад · 328d0d8a5f
--- a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml
+++ b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml
@@ -5,18 +5,19 @@

 matrix_synapse_auto_compressor_enabled: true

 matrix_synapse_auto_compressor_version: v0.1.3

 matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor"
 matrix_synapse_auto_compressor_container_src_files_path: "{{ matrix_synapse_auto_compressor_base_path }}/container-src"

 matrix_synapse_auto_compressor_container_image_self_build: false
 matrix_synapse_auto_compressor_container_repo: "https://gitlab.com/etke.cc/rust-synapse-compress-state.git"
 matrix_synapse_auto_compressor_container_repo_version: "{{ 'main' if matrix_synapse_auto_compressor_version == 'latest' else matrix_synapse_auto_compressor_version }}"
 matrix_synapse_auto_compressor_container_src_files_path: "{{ matrix_synapse_auto_compressor_base_path }}"

 matrix_synapse_auto_compressor_version: v0.1.3
 matrix_synapse_auto_compressor_container_image: "{{ matrix_synapse_auto_compressor_container_image_name_prefix }}etke.cc/rust-synapse-compress-state:{{ matrix_synapse_auto_compressor_version }}"
 matrix_synapse_auto_compressor_container_image_name_prefix: "{{ 'localhost/' if matrix_synapse_auto_compressor_container_image_self_build else 'registry.gitlab.com/' }}"
 matrix_synapse_auto_compressor_container_image_force_pull: "{{ matrix_synapse_auto_compressor_container_image.endswith(':latest') }}"

 matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor"

 # The base container network. It will be auto-created by this role if it doesn't exist already.
 matrix_synapse_auto_compressor_container_network: matrix-synapse-auto-compressor

@@ -57,4 +58,7 @@ matrix_synapse_auto_compressor_chunk_size: 500
 # The higher this number is set to, the longer the compressor will run for.
 matrix_synapse_auto_compressor_chunks_to_compress: 100

 matrix_synapse_auto_compressor_command: "synapse_auto_compressor -p {{ matrix_synapse_auto_compressor_synapse_database }} -c {{ matrix_synapse_auto_compressor_chunk_size }} -n {{ matrix_synapse_auto_compressor_chunks_to_compress }}"
 matrix_synapse_auto_compressor_command: "synapse_auto_compressor -p $POSTGRES_LOCATION -c {{ matrix_synapse_auto_compressor_chunk_size }} -n {{ matrix_synapse_auto_compressor_chunks_to_compress }}"

 # Controls the POSTGRES_LOCATION environment variable
 matrix_synapse_auto_compressor_environment_variable_postgres_location: "{{ matrix_synapse_auto_compressor_synapse_database }}"
--- a/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml
+++ b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml
@@ -1,12 +1,26 @@
 ---

 - name: Ensure synapse-auto-compressor paths exist
  ansible.builtin.file:
    path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}"
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: matrix_synapse_auto_compressor_container_image_self_build | bool
  when: item.when | bool
  with_items:
    - path: "{{ matrix_synapse_auto_compressor_base_path }}"
      when: true
    - path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}"
      when: "{{ matrix_synapse_auto_compressor_container_image_self_build }}"

 - name: Ensure synapse-auto-compressor labels installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/env.j2"
    dest: "{{ matrix_synapse_auto_compressor_base_path }}/env"
    mode: 0640
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure synapse-auto-compressor image is pulled
  community.docker.docker_image:
--- a/roles/custom/matrix-synapse-auto-compressor/templates/env.j2
+++ b/roles/custom/matrix-synapse-auto-compressor/templates/env.j2
@@ -0,0 +1 @@
 POSTGRES_LOCATION={{ matrix_synapse_auto_compressor_environment_variable_postgres_location }}
--- a/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2
+++ b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2
@@ -24,11 +24,13 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--read-only \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--network={{ matrix_synapse_auto_compressor_container_network }} \
 			--env-file={{ matrix_synapse_auto_compressor_base_path }}/env \
 			--entrypoint=/bin/sh \
 			{% for arg in matrix_synapse_auto_compressor_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_synapse_auto_compressor_container_image }} \
 			{{ matrix_synapse_auto_compressor_command }}
 			-c '{{ matrix_synapse_auto_compressor_command }}'

 {% for network in matrix_synapse_auto_compressor_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-auto-compressor