Securing IaC_database configuration

playbooks/IaC_database.yml

@@ -100,6 +100,24 @@
         line: "export XDG_RUNTIME_DIR=/run/user/2001"
         create: true
 
+    - name: Place container environment file for psql user
+      ansible.builtin.lineinfile:
+        path: /home/psql/.containerenv
+        owner: psql
+        group: psql
+        mode: "0750"
+        line: "POSTGRES_PASSWORD=\"{{ postgres_db_password }}\""
+        create: true
+
+    - name: Place container environment file for mysql user
+      ansible.builtin.lineinfile:
+        path: /home/mysql/.containerenv
+        owner: mysql
+        group: mysql
+        mode: "0750"
+        line: "MYSQL_ROOT_PASSWORD=\"{{ mysql_db_password }}\""
+        create: true
+
     - name: Allow mysql user to linger
       ansible.builtin.shell:
         cmd: "loginctl enable-linger 2001"
@@ -193,8 +211,7 @@
             [Unit]
             Description=Postgres Quadlet
             After=pgdata.mount
-        env:
+        env_file: "/home/psql/.containerenv"
-          POSTGRES_PASSWORD: "{{ postgres_db_password }}"
       become_user: "psql"
 
     - name: Build mysql quadlet
@@ -220,8 +237,7 @@
             [Unit]
             Description=MySQL Quadlet
             After=mysql_data.mount
-        env:
+        env_file: "/home/mysql/.containerenv"
-          MYSQL_ROOT_PASSWORD: "{{ mysql_db_password }}"
       become_user: "mysql"
 
     - name: Run systemctl --user daemon-reload