From 5dd21af3ddb3d58020814887b8cff4f9e13ec5bc Mon Sep 17 00:00:00 2001
From: Adam Grare <adam@grare.com>
Date: Wed, 20 Mar 2024 12:59:24 -0400
Subject: [PATCH] Create a podman secret when starting systemd unit

---
 app/models/opentofu_worker.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/app/models/opentofu_worker.rb b/app/models/opentofu_worker.rb
index 0befd97b..069f2be7 100644
--- a/app/models/opentofu_worker.rb
+++ b/app/models/opentofu_worker.rb
@@ -33,6 +33,11 @@ def container_image
     ENV["OPENTOFU_RUNNER_IMAGE"] || default_image
   end
 
+  def enable_systemd_unit
+    super
+    create_podman_secret
+  end
+
   def unit_config_file
     # Override this in a sub-class if the specific instance needs
     # any additional config
@@ -55,4 +60,13 @@ def unit_environment_variables
       "MEMCACHED_SERVER=#{::Settings.session.memcache_server}"
     ]
   end
+
+  def create_podman_secret
+    return if AwesomeSpawn.run("podman", :params => %w[secret exists opentofu-runner-secret]).success?
+
+    database_password = ActiveRecord::Base.connection_db_config.configuration_hash[:password]
+    secret = {"DATABASE_PASSWORD" => database_password}
+
+    AwesomeSpawn.run!("podman", :params => %w[secret create opentofu-runner-secret -], :in_data => secret.to_json)
+  end
 end