Securing IaC_database configuration

2024-11-22 12:02:56 -05:00 · 2024-11-22 12:02:56 -05:00 · df0b896ec4
commit df0b896ec4
parent 66ca351e2e
1 changed files with 20 additions and 4 deletions
--- a/playbooks/IaC_database.yml
+++ b/playbooks/IaC_database.yml
@ -100,6 +100,24 @@
        line: "export XDG_RUNTIME_DIR=/run/user/2001"
        create: true

+    - name: Place container environment file for psql user
+      ansible.builtin.lineinfile:
+        path: /home/psql/.containerenv
+        owner: psql
+        group: psql
+        mode: "0750"
+        line: "POSTGRES_PASSWORD=\"{{ postgres_db_password }}\""
+        create: true
+
+    - name: Place container environment file for mysql user
+      ansible.builtin.lineinfile:
+        path: /home/mysql/.containerenv
+        owner: mysql
+        group: mysql
+        mode: "0750"
+        line: "MYSQL_ROOT_PASSWORD=\"{{ mysql_db_password }}\""
+        create: true
+
    - name: Allow mysql user to linger
      ansible.builtin.shell:
        cmd: "loginctl enable-linger 2001"
@ -193,8 +211,7 @@
            [Unit]
            Description=Postgres Quadlet
            After=pgdata.mount
-        env:
-          POSTGRES_PASSWORD: "{{ postgres_db_password }}"
+        env_file: "/home/psql/.containerenv"
      become_user: "psql"

    - name: Build mysql quadlet
@ -220,8 +237,7 @@
            [Unit]
            Description=MySQL Quadlet
            After=mysql_data.mount
-        env:
-          MYSQL_ROOT_PASSWORD: "{{ mysql_db_password }}"
+        env_file: "/home/mysql/.containerenv"
      become_user: "mysql"

    - name: Run systemctl --user daemon-reload