demostf/api
1
0
Fork 0
mirror of https://codeberg.org/demostf/api.git synced 2026-06-03 18:04:08 +02:00
Code Issues Releases Wiki Activity

separate key files for module

Browse source
This commit is contained in:
Robin Appelman 2025-05-19 19:49:43 +02:00
commit 0c4f8e9922
4 changed files with 62 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

11
nix/integration-tests.nix
View file

@ -85,7 +85,6 @@
"pm.max_spare_servers" = "15"; "pm.max_spare_servers" = "15";
"catch_workers_output" = "yes"; "catch_workers_output" = "yes";
"listen.owner" = "nginx"; "listen.owner" = "nginx";
"listen.group" = "nginx";
}; };
phpEnv = { phpEnv = {
BASE_HOST = "demos.tf"; BASE_HOST = "demos.tf";
@ -97,12 +96,20 @@
DB_DATABASE = "demostf"; DB_DATABASE = "demostf";
DB_USERNAME = "demostf"; DB_USERNAME = "demostf";
APP_ROOT = "http://localhost"; APP_ROOT = "http://localhost";
EDIT_SECRET = "edit"; EDIT_KEY = "/$CREDENTIALS_DIRECTORY/edit_key";
PARSER_PATH = lib.getExe pkgs.demostf-parser; PARSER_PATH = lib.getExe pkgs.demostf-parser;
}; };
user = "demostf"; user = "demostf";
group = "demostf"; group = "demostf";
}; };
systemd.services.phpfpm-demostf-api.serviceConfig = {
User = "demostf";
AmbientCapabilities = "CAP_CHOWN";
NoNewPrivileges = true;
LoadCredential = [
"edit_key:${pkgs.writeText "edit-key.conf" "edit"}"
];
};
}; };
}; };

46
nix/module.nix
View file

@ -4,6 +4,7 @@
lib, lib,
... ...
}: let }: let
inherit (lib) optionals optionalAttrs;
cfg = config.services.demostf.api; cfg = config.services.demostf.api;
fpmCfg = config.services.phpfpm.pools.demostf-api; fpmCfg = config.services.phpfpm.pools.demostf-api;
exporterCfg = config.services.prometheus.exporters.php-fpm; exporterCfg = config.services.prometheus.exporters.php-fpm;
@ -45,9 +46,20 @@ in {
type = types.str; type = types.str;
description = "path the demos are stored"; description = "path the demos are stored";
}; };
keyFile = mkOption { editKeyFile = mkOption {
type = types.str; type = types.nullOr types.str;
description = "path containing key environment variables"; default = null;
description = "path containing edit key environment variables";
};
uploadKeyFile = mkOption {
type = types.nullOr types.str;
default = null;
description = "path containing upload key environment variables";
};
accessKeyFile = mkOption {
type = types.nullOr types.str;
default = null;
description = "path containing access key environment variables";
}; };
}; };
}; };
@ -99,7 +111,8 @@ in {
"listen.owner" = "nginx"; "listen.owner" = "nginx";
"listen.group" = "nginx"; "listen.group" = "nginx";
}; };
phpEnv = { phpEnv =
{
BASE_HOST = cfg.baseDomain; BASE_HOST = cfg.baseDomain;
DEMO_ROOT = cfg.demoRoot; DEMO_ROOT = cfg.demoRoot;
DEMO_HOST = cfg.hostDomain; DEMO_HOST = cfg.hostDomain;
@ -110,13 +123,34 @@ in {
DB_USERNAME = "demostf"; DB_USERNAME = "demostf";
APP_ROOT = "https://${cfg.apiDomain}"; APP_ROOT = "https://${cfg.apiDomain}";
PARSER_PATH = "${pkgs.demostf-parser}/bin/parse_demo"; PARSER_PATH = "${pkgs.demostf-parser}/bin/parse_demo";
}; }
// (optionalAttrs (cfg.editKeyFile != null) {
EDIT_KEY = "/$CREDENTIALS_DIRECTORY/edit_key";
})
// (optionalAttrs (cfg.uploadKeyFile != null) {
UPLOAD_KEY = "/$CREDENTIALS_DIRECTORY/upload_key";
})
// (optionalAttrs (cfg.accessKeyFile != null) {
ACCESS_KEY = "/$CREDENTIALS_DIRECTORY/access_key";
});
user = "demostf"; user = "demostf";
group = "demostf"; group = "demostf";
}; };
systemd.services.phpfpm-demostf-api.serviceConfig = { systemd.services.phpfpm-demostf-api.serviceConfig = {
EnvironmentFile = cfg.keyFile; User = "demostf";
AmbientCapabilities = "CAP_CHOWN";
NoNewPrivileges = true;
LoadCredential =
(optionals (cfg.editKeyFile != null) [
"edit_key:${cfg.editKeyFile}"
])
++ (optionals (cfg.uploadKeyFile != null) [
"upload_key:${cfg.uploadKeyFile}"
])
++ (optionals (cfg.accessKeyFile != null) [
"access_key:${cfg.accessKeyFile}"
]);
}; };
services.prometheus.exporters.php-fpm = { services.prometheus.exporters.php-fpm = {

3
src/init.php
View file

@ -15,6 +15,7 @@ $autoloader = require __DIR__ . '/../vendor/autoload.php';
function getEnvVar(string $name): string { function getEnvVar(string $name): string {
$var = getenv($name) ?: ''; $var = getenv($name) ?: '';
error_log("$name='$var'");
if (str_contains($var, '$CREDENTIALS_DIRECTORY')) { if (str_contains($var, '$CREDENTIALS_DIRECTORY')) {
$credentialsDirectory = getenv('CREDENTIALS_DIRECTORY') ?: ''; $credentialsDirectory = getenv('CREDENTIALS_DIRECTORY') ?: '';
$path = str_replace('$CREDENTIALS_DIRECTORY', $credentialsDirectory, $var); $path = str_replace('$CREDENTIALS_DIRECTORY', $credentialsDirectory, $var);
@ -58,7 +59,7 @@ $storeRoot = getEnvVar('DEMO_ROOT');
$storeHost = getEnvVar('DEMO_HOST'); $storeHost = getEnvVar('DEMO_HOST');
$parserPath = getEnvVar('PARSER_PATH'); $parserPath = getEnvVar('PARSER_PATH');
$appRoot = getEnvVar('APP_ROOT'); $appRoot = getEnvVar('APP_ROOT');
$editKey = getEnvVar('EDIT_SECRET'); $editKey = getEnvVar('EDIT_KEY');
$uploadKey = getEnvVar('UPLOAD_KEY'); $uploadKey = getEnvVar('UPLOAD_KEY');
$accessKey = getEnvVar('ACCESS_KEY'); $accessKey = getEnvVar('ACCESS_KEY');

2
test/Integration/Tests.js
View file

@ -15,7 +15,7 @@ chakram.setRequestDefaults({baseUrl: root});
before((done) => { before((done) => {
console.log('spawn server'); console.log('spawn server');
const server = require('child_process').spawn('php', ['-S', '0.0.0.0:8000', 'router.php'], { const server = require('child_process').spawn('php', ['-d', 'post_max_size=100M', '-S', '0.0.0.0:8000', 'router.php'], {
cwd: __dirname + '/../', cwd: __dirname + '/../',
env: process.env env: process.env
}); });