hedgedoc: limit secret acccess to root

So far every user on the system was able to read the secrets from the
world-readable config.json. Move these secret into the systemd service
file and limit its read rights to root.

fixes: archlinux/infrastructure#562



Co-authored-by: Jakub Klinkovský <lahwaacz@archlinux.org>
Signed-off-by: Christian Heusel <christian@heusel.eu>

roles/hedgedoc/tasks/main.yml

@@ -31,7 +31,7 @@
   file: state=directory path=/etc/systemd/system/hedgedoc.service.d owner=root group=root mode=0755
 
 - name: Install hedgedoc.service snippet for configuration
-  template: src=hedgedoc.service.d.j2 dest=/etc/systemd/system/hedgedoc.service.d/local.conf owner=root group=root mode=0644
+  template: src=hedgedoc.service.d.j2 dest=/etc/systemd/system/hedgedoc.service.d/local.conf owner=root group=root mode=0640
 
 - name: Install hedgedoc config file
   template: src=config.json.j2 dest=/etc/webapps/hedgedoc/config.json owner=root group=root mode=0644

roles/hedgedoc/templates/config.json.j2

 {
     "production": {
-        "sessionSecret": "{{ vault_hedgedoc_session_secret }}",
         "email": false,
         "domain": "{{ hedgedoc_domain }}",
         "loglevel": "info",
@@ -30,7 +29,6 @@
         "db": {
             "dialect": "postgres",
             "username": "hedgedoc",
-            "password": "{{ vault_postgres_users.hedgedoc }}",
             "database": "hedgedoc",
             "host": "localhost",
             "port": "5432"

roles/hedgedoc/templates/hedgedoc.service.d.j2

@@ -16,3 +16,5 @@ Environment=CMD_PROTOCOL_USESSL=true
 Environment=CMD_URL_ADDPORT=false
 Environment=CMD_ALLOW_FREEURL=true
 Environment=CMD_REQUIRE_FREEURL_AUTHENTICATION=true
+Environment=CMD_SESSION_SECRET={{ vault_hedgedoc_session_secret }}
+Environment=CMD_DB_PASSWORD={{ vault_postgres_users.hedgedoc }}