server/tt-rss: Moved service envs in extra file

Otherwise all users would be able to extract data using systemctl show

roles/server/tt-rss/defaults/main.yml

@@ -8,6 +8,7 @@ system_user: "{{ domain | domain_to_username }}"
 
 user_directory: "{{ global_webservers_directory }}/{{ domain }}"
 installation_directory: "{{ user_directory }}/repository"
+service_environment_file: "{{ user_directory }}/{{ service_name }}.env"
 
 database_user: "{{ system_user }}"
 # database_pass from mysql/database

roles/server/tt-rss/tasks/main.yml

@@ -9,6 +9,17 @@
     mode: "u=rw,g=r,o="
   notify: "restart {{ domain }}"
 
+- name: Store environments required for service
+  template:
+    src: service.env
+    dest: "{{ service_environment_file }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=
+  notify:
+    - reload systemd # required for task below, systemd must reload before the service tries to restart
+    - "restart {{ domain }}"
+
 - name: Configure Tiny Tiny RSS systemd service
   template:
     src: tt-rss.service

roles/server/tt-rss/templates/service.env

@@ -0,0 +1,3 @@
+DATABASE_USERNAME={{ database_user }}
+DATABASE_PASSWORD={{ database_pass }}
+DATABASE_NAME={{ database_name }}

roles/server/tt-rss/templates/tt-rss.service

@@ -5,9 +5,7 @@ After=network.target mysql.service
 [Service]
 User={{ system_user }}
 ExecStart={{ installation_directory }}/update_daemon2.php
-Environment="DATABASE_USERNAME={{ database_user }}"
-Environment="DATABASE_PASSWORD={{ database_pass }}"
-Environment="DATABASE_NAME={{ database_name }}"
+EnvironmentFile={{ service_environment_file }}
 
 [Install]
 WantedBy=multi-user.target