From 9e04a7b39b2ac67ecac18a915e2efd6a347f0be0 Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@outlook.com>
Date: Tue, 23 Jun 2020 17:16:20 +0200
Subject: [PATCH] server/node: Moved private envs to extra file

Otherwise all users would be able to extract data using systemctl show
---
 roles/server/node/defaults/main.yml      |  1 +
 roles/server/node/tasks/main.yml         | 13 ++++++++++++-
 roles/server/node/templates/node.service | 14 +-------------
 roles/server/node/templates/service.env  | 13 +++++++++++++
 4 files changed, 27 insertions(+), 14 deletions(-)
 create mode 100644 roles/server/node/templates/service.env

diff --git a/roles/server/node/defaults/main.yml b/roles/server/node/defaults/main.yml
index 87da4ed..915d7e1 100644
--- a/roles/server/node/defaults/main.yml
+++ b/roles/server/node/defaults/main.yml
@@ -9,6 +9,7 @@ service_name: "{{ domain }}.service"
 
 # system_user: "nodejs"
 user_directory: "{{ global_webservers_directory }}/{{ domain }}"
+service_environment_file: "{{ user_directory }}/{{ service_name }}.env"
 src: "{{ user_directory }}/server"
 
 database_user: "{{ system_user | regex_replace('[^a-zA-Z]', '_') }}"
diff --git a/roles/server/node/tasks/main.yml b/roles/server/node/tasks/main.yml
index 9061efc..a15abbb 100644
--- a/roles/server/node/tasks/main.yml
+++ b/roles/server/node/tasks/main.yml
@@ -6,13 +6,24 @@
     chdir: "{{ src }}"
     creates: "{{ src }}/node_modules"
 
+- name: Store environments required for service
+  template:
+    src: service.env
+    dest: "{{ service_environment_file }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=
+  notify:
+    - reload systemd # required for task below, systemd must reload before the service tries to restart
+    - "restart {{ domain }}"
+
 - name: Register service for node server
   template:
     src: node.service
     dest: "{{ global_systemd_configuration_directory }}/{{ service_name }}"
     owner: root
     group: root
-    mode: "u=rw,g=r,o="
+    mode: "u=rw,g=r,o=r"
   notify:
     - reload systemd
     - "restart {{ domain }}"
diff --git a/roles/server/node/templates/node.service b/roles/server/node/templates/node.service
index 66ea033..e8b496c 100644
--- a/roles/server/node/templates/node.service
+++ b/roles/server/node/templates/node.service
@@ -11,19 +11,7 @@ Group={{ system_user }}
 
 WorkingDirectory={{ src }}
 ExecStart=/usr/bin/npm start
-Environment="USER={{ system_user }}"
-Environment="HOME={{ user_directory }}"
-Environment="NODE_ENV=production"
-Environment="PORT={{ bind_port }}"
-Environment="DOMAIN={{ domain }}"
-Environment="DATABASE_HOST=127.0.0.1"
-Environment="DATABASE_PORT=3306"
-Environment="DATABASE_USERNAME={{ database_user }}"
-Environment="DATABASE_PASSWORD={{ database_pass }}"
-Environment="DATABASE_NAME={{ database_name }}"
-{% for name, var in environment_vars.items() %}
-Environment="{{ name }}={{ var }}"
-{% endfor %}
+EnvironmentFile={{ service_environment_file }}
 
 TimeoutStartSec=2s
 TimeoutStopSec=10s
diff --git a/roles/server/node/templates/service.env b/roles/server/node/templates/service.env
new file mode 100644
index 0000000..6e01d95
--- /dev/null
+++ b/roles/server/node/templates/service.env
@@ -0,0 +1,13 @@
+USER={{ system_user }}
+HOME={{ user_directory }}
+NODE_ENV=production
+PORT={{ bind_port }}
+DOMAIN={{ domain }}
+DATABASE_HOST=127.0.0.1
+DATABASE_PORT=3306
+DATABASE_USERNAME={{ database_user }}
+DATABASE_PASSWORD={{ database_pass }}
+DATABASE_NAME={{ database_name }}
+{% for name, var in environment_vars.items() %}
+{{ name }}={{ var }}
+{% endfor %}