From ccf68952dd76c6afc4925f076ce9d7b4119657f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= <julian-samuel@gebuehr.net>
Date: Wed, 20 Apr 2022 18:28:05 +0200
Subject: [PATCH] Use config file for cleaner more secure usage

---
 .../defaults/main.yml                                |  1 +
 .../tasks/setup_install.yml                          |  7 ++++---
 .../templates/config/config.yml.j2                   | 12 ++++++++++++
 .../matrix-bot-matrix-registration-bot.service.j2    |  5 +++++
 4 files changed, 22 insertions(+), 3 deletions(-)
 create mode 100644 roles/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2

diff --git a/roles/matrix-bot-matrix-registration-bot/defaults/main.yml b/roles/matrix-bot-matrix-registration-bot/defaults/main.yml
index ca2e9b112..b081a3266 100644
--- a/roles/matrix-bot-matrix-registration-bot/defaults/main.yml
+++ b/roles/matrix-bot-matrix-registration-bot/defaults/main.yml
@@ -13,6 +13,7 @@ matrix_bot_matrix_registration_bot_docker_image_force_pull: "{{ matrix_bot_matri
 
 matrix_bot_matrix_registration_bot_base_path: "{{ matrix_base_data_path }}/matrix-registration-bot"
 matrix_bot_matrix_registration_bot_config_path: "{{ matrix_bot_matrix_registration_bot_base_path }}/config"
+matrix_bot_matrix_registration_bot_data_path: "{{ matrix_bot_matrix_registration_bot_base_path }}/data"
 
 matrix_bot_matrix_registration_bot_bot_server: "https://{{ matrix_server_fqn_matrix }}"
 matrix_bot_matrix_registration_bot_api_base_url: "https://{{ matrix_server_fqn_matrix }}"
diff --git a/roles/matrix-bot-matrix-registration-bot/tasks/setup_install.yml b/roles/matrix-bot-matrix-registration-bot/tasks/setup_install.yml
index 5f1e3d793..716d67bc3 100644
--- a/roles/matrix-bot-matrix-registration-bot/tasks/setup_install.yml
+++ b/roles/matrix-bot-matrix-registration-bot/tasks/setup_install.yml
@@ -9,13 +9,14 @@
     group: "{{ matrix_user_groupname }}"
   with_items:
     - {path: "{{ matrix_bot_matrix_registration_bot_config_path }}", when: true}
+    - - {path: "{{ matrix_bot_matrix_registration_bot_data_path }}", when: true}
     - {path: "{{ matrix_bot_matrix_registration_bot_docker_src_files_path }}", when: true}
   when: "item.when|bool"
 
-- name: Ensure matrix-registration-bot environment variables file created
+- name: Ensure matrix-registration-bot configuration file created
   template:
-    src: "{{ role_path }}/templates/env.j2"
-    dest: "{{ matrix_bot_matrix_registration_bot_config_path }}/env"
+    src: "{{ role_path }}/templates/config/config.yml.j2"
+    dest: "{{ matrix_bot_matrix_registration_bot_config_path }}/config.yml"
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_groupname }}"
     mode: 0640
diff --git a/roles/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2 b/roles/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2
new file mode 100644
index 000000000..79e1a73ce
--- /dev/null
+++ b/roles/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2
@@ -0,0 +1,12 @@
+bot:
+  server: "{{ matrix_bot_matrix_registration_bot_bot_server }}"
+  username: "{{ matrix_bot_matrix_registration_bot_matrix_user_id_localpart }}"
+  access_token: "{{ matrix_bot_matrix_registration_bot_api_token }}"
+api:
+  # API endpoint of the registration tokens
+  base_url: '{{ matrix_bot_matrix_registration_bot_api_base_url }}'
+  # Access token of an administrator on the server
+  token: "{{ matrix_bot_matrix_registration_bot_matrix_admin_token }}"
+logging:
+  level: "{{ matrix_bot_matrix_registration_bot_logging_level }}"
+
diff --git a/roles/matrix-bot-matrix-registration-bot/templates/systemd/matrix-bot-matrix-registration-bot.service.j2 b/roles/matrix-bot-matrix-registration-bot/templates/systemd/matrix-bot-matrix-registration-bot.service.j2
index 75fdc331f..ba2a95931 100644
--- a/roles/matrix-bot-matrix-registration-bot/templates/systemd/matrix-bot-matrix-registration-bot.service.j2
+++ b/roles/matrix-bot-matrix-registration-bot/templates/systemd/matrix-bot-matrix-registration-bot.service.j2
@@ -19,6 +19,11 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }}
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-matrix-registration-bot \
 			--log-driver=none \
 			--cap-drop=ALL \
+			-e "CONFIG_PATH=/config/config.yml" \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--read-only \
+			--mount type=bind,src={{ matrix_bot_matrix_registration_bot_config_path }},dst=/config,ro \
+			--mount type=bind,src={{ matrix_bot_matrix_registration_bot_data_path }},dst=/data \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_bot_matrix_registration_bot_config_path }}/env \
 			{{ matrix_bot_matrix_registration_bot_docker_image }}