Set SECRET_KEY_BASE for rails job runners

openstreetmap · Nov 8, 2023 · d4ccdb8 · d4ccdb8
1 parent 960f2a2
commit d4ccdb8
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/cookbooks/dev/recipes/default.rb b/cookbooks/dev/recipes/default.rb
@@ -298,7 +298,7 @@
   systemd_service "rails-jobs@" do
     description "Rails job queue runner"
     type "simple"
-    environment "RAILS_ENV" => "production", "SLEEP_DELAY" => "60"
+    environment_file "/etc/default/rails-%i"
     user "apis"
     working_directory "/srv/%i.apis.dev.openstreetmap.org/rails"
     exec_start "#{node[:ruby][:bundle]} exec rails jobs:work"
@@ -413,6 +413,14 @@
         notifies :restart, "rails_port[#{site_name}]"
       end
 
+      template "/etc/default/rails-#{name}" do
+        source "rails.environment.erb"
+        owner "root"
+        group "root"
+        mode "0600"
+        variables :secret_key_base => secret_key_base
+      end
+
       service "rails-jobs@#{name}" do
         action [:enable, :start]
         supports :restart => true

diff --git a/cookbooks/dev/templates/default/rails.environment.erb b/cookbooks/dev/templates/default/rails.environment.erb
@@ -0,0 +1,5 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+RAILS_ENV="production"
+SLEEP_DELAY="60"
+SECRET_KEY_BASE="<%= @secret_key_base %>"
diff --git a/cookbooks/web/recipes/rails.rb b/cookbooks/web/recipes/rails.rb
@@ -165,7 +165,10 @@
 systemd_service "rails-jobs@" do
   description "Rails job queue runner"
   type "simple"
-  environment "RAILS_ENV" => "production", "QUEUE" => "%I", "SLEEP_DELAY" => "60"
+  environment "RAILS_ENV" => "production",
+              "QUEUE" => "%I",
+              "SLEEP_DELAY" => "60",
+              "SECRET_KEY_BASE" => web_passwords["secret_key_base"]
   user "rails"
   working_directory rails_directory
   exec_start "#{node[:ruby][:bundle]} exec rails jobs:work"