Move synapse-auto-compressor Postgres argument to an environment variable

This provides an additional security benefit. The password won't leak in
the process list anymore.
This commit is contained in:
Slavi Pantaleev 2023-03-12 10:17:42 +02:00
parent 26d5719df4
commit 328d0d8a5f
4 changed files with 29 additions and 8 deletions

View File

@ -5,18 +5,19 @@
matrix_synapse_auto_compressor_enabled: true matrix_synapse_auto_compressor_enabled: true
matrix_synapse_auto_compressor_version: v0.1.3
matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor"
matrix_synapse_auto_compressor_container_src_files_path: "{{ matrix_synapse_auto_compressor_base_path }}/container-src"
matrix_synapse_auto_compressor_container_image_self_build: false matrix_synapse_auto_compressor_container_image_self_build: false
matrix_synapse_auto_compressor_container_repo: "https://gitlab.com/etke.cc/rust-synapse-compress-state.git" matrix_synapse_auto_compressor_container_repo: "https://gitlab.com/etke.cc/rust-synapse-compress-state.git"
matrix_synapse_auto_compressor_container_repo_version: "{{ 'main' if matrix_synapse_auto_compressor_version == 'latest' else matrix_synapse_auto_compressor_version }}" matrix_synapse_auto_compressor_container_repo_version: "{{ 'main' if matrix_synapse_auto_compressor_version == 'latest' else matrix_synapse_auto_compressor_version }}"
matrix_synapse_auto_compressor_container_src_files_path: "{{ matrix_synapse_auto_compressor_base_path }}"
matrix_synapse_auto_compressor_version: v0.1.3
matrix_synapse_auto_compressor_container_image: "{{ matrix_synapse_auto_compressor_container_image_name_prefix }}etke.cc/rust-synapse-compress-state:{{ matrix_synapse_auto_compressor_version }}" matrix_synapse_auto_compressor_container_image: "{{ matrix_synapse_auto_compressor_container_image_name_prefix }}etke.cc/rust-synapse-compress-state:{{ matrix_synapse_auto_compressor_version }}"
matrix_synapse_auto_compressor_container_image_name_prefix: "{{ 'localhost/' if matrix_synapse_auto_compressor_container_image_self_build else 'registry.gitlab.com/' }}" matrix_synapse_auto_compressor_container_image_name_prefix: "{{ 'localhost/' if matrix_synapse_auto_compressor_container_image_self_build else 'registry.gitlab.com/' }}"
matrix_synapse_auto_compressor_container_image_force_pull: "{{ matrix_synapse_auto_compressor_container_image.endswith(':latest') }}" matrix_synapse_auto_compressor_container_image_force_pull: "{{ matrix_synapse_auto_compressor_container_image.endswith(':latest') }}"
matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor"
# The base container network. It will be auto-created by this role if it doesn't exist already. # The base container network. It will be auto-created by this role if it doesn't exist already.
matrix_synapse_auto_compressor_container_network: matrix-synapse-auto-compressor matrix_synapse_auto_compressor_container_network: matrix-synapse-auto-compressor
@ -57,4 +58,7 @@ matrix_synapse_auto_compressor_chunk_size: 500
# The higher this number is set to, the longer the compressor will run for. # The higher this number is set to, the longer the compressor will run for.
matrix_synapse_auto_compressor_chunks_to_compress: 100 matrix_synapse_auto_compressor_chunks_to_compress: 100
matrix_synapse_auto_compressor_command: "synapse_auto_compressor -p {{ matrix_synapse_auto_compressor_synapse_database }} -c {{ matrix_synapse_auto_compressor_chunk_size }} -n {{ matrix_synapse_auto_compressor_chunks_to_compress }}" matrix_synapse_auto_compressor_command: "synapse_auto_compressor -p $POSTGRES_LOCATION -c {{ matrix_synapse_auto_compressor_chunk_size }} -n {{ matrix_synapse_auto_compressor_chunks_to_compress }}"
# Controls the POSTGRES_LOCATION environment variable
matrix_synapse_auto_compressor_environment_variable_postgres_location: "{{ matrix_synapse_auto_compressor_synapse_database }}"

View File

@ -1,12 +1,26 @@
--- ---
- name: Ensure synapse-auto-compressor paths exist - name: Ensure synapse-auto-compressor paths exist
ansible.builtin.file: ansible.builtin.file:
path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}" path: "{{ item.path }}"
state: directory state: directory
mode: 0750 mode: 0750
owner: "{{ matrix_user_username }}" owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}" group: "{{ matrix_user_groupname }}"
when: matrix_synapse_auto_compressor_container_image_self_build | bool when: item.when | bool
with_items:
- path: "{{ matrix_synapse_auto_compressor_base_path }}"
when: true
- path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}"
when: "{{ matrix_synapse_auto_compressor_container_image_self_build }}"
- name: Ensure synapse-auto-compressor labels installed
ansible.builtin.template:
src: "{{ role_path }}/templates/env.j2"
dest: "{{ matrix_synapse_auto_compressor_base_path }}/env"
mode: 0640
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure synapse-auto-compressor image is pulled - name: Ensure synapse-auto-compressor image is pulled
community.docker.docker_image: community.docker.docker_image:

View File

@ -0,0 +1 @@
POSTGRES_LOCATION={{ matrix_synapse_auto_compressor_environment_variable_postgres_location }}

View File

@ -24,11 +24,13 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--read-only \ --read-only \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--network={{ matrix_synapse_auto_compressor_container_network }} \ --network={{ matrix_synapse_auto_compressor_container_network }} \
--env-file={{ matrix_synapse_auto_compressor_base_path }}/env \
--entrypoint=/bin/sh \
{% for arg in matrix_synapse_auto_compressor_container_extra_arguments %} {% for arg in matrix_synapse_auto_compressor_container_extra_arguments %}
{{ arg }} \ {{ arg }} \
{% endfor %} {% endfor %}
{{ matrix_synapse_auto_compressor_container_image }} \ {{ matrix_synapse_auto_compressor_container_image }} \
{{ matrix_synapse_auto_compressor_command }} -c '{{ matrix_synapse_auto_compressor_command }}'
{% for network in matrix_synapse_auto_compressor_container_additional_networks %} {% for network in matrix_synapse_auto_compressor_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-auto-compressor ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-auto-compressor