separate key files for module

2026-06-03 09:54:17 +02:00 · 2025-05-19 19:49:43 +02:00 · 2025-05-19 19:49:43 +02:00 · 0c4f8e9922
commit 0c4f8e9922
parent 4d3a8704d1
4 changed files with 62 additions and 20 deletions
--- a/nix/integration-tests.nix
+++ b/nix/integration-tests.nix
@ -85,7 +85,6 @@
          "pm.max_spare_servers" = "15";
          "catch_workers_output" = "yes";
          "listen.owner" = "nginx";
-          "listen.group" = "nginx";
        };
        phpEnv = {
          BASE_HOST = "demos.tf";
@ -97,12 +96,20 @@
          DB_DATABASE = "demostf";
          DB_USERNAME = "demostf";
          APP_ROOT = "http://localhost";
-          EDIT_SECRET = "edit";
+          EDIT_KEY = "/$CREDENTIALS_DIRECTORY/edit_key";
          PARSER_PATH = lib.getExe pkgs.demostf-parser;
        };
        user = "demostf";
        group = "demostf";
      };
+      systemd.services.phpfpm-demostf-api.serviceConfig = {
+        User = "demostf";
+        AmbientCapabilities = "CAP_CHOWN";
+        NoNewPrivileges = true;
+        LoadCredential = [
+          "edit_key:${pkgs.writeText "edit-key.conf" "edit"}"
+        ];
+      };
    };
  };

--- a/nix/module.nix
+++ b/nix/module.nix
@ -4,6 +4,7 @@
  lib,
  ...
 }: let
+  inherit (lib) optionals optionalAttrs;
  cfg = config.services.demostf.api;
  fpmCfg = config.services.phpfpm.pools.demostf-api;
  exporterCfg = config.services.prometheus.exporters.php-fpm;
@ -45,9 +46,20 @@ in {
        type = types.str;
        description = "path the demos are stored";
      };
-      keyFile = mkOption {
-        type = types.str;
-        description = "path containing key environment variables";
+      editKeyFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "path containing edit key environment variables";
+      };
+      uploadKeyFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "path containing upload key environment variables";
+      };
+      accessKeyFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "path containing access key environment variables";
      };
    };
  };
@ -99,7 +111,8 @@ in {
        "listen.owner" = "nginx";
        "listen.group" = "nginx";
      };
-      phpEnv = {
+      phpEnv =
+        {
          BASE_HOST = cfg.baseDomain;
          DEMO_ROOT = cfg.demoRoot;
          DEMO_HOST = cfg.hostDomain;
@ -110,13 +123,34 @@ in {
          DB_USERNAME = "demostf";
          APP_ROOT = "https://${cfg.apiDomain}";
          PARSER_PATH = "${pkgs.demostf-parser}/bin/parse_demo";
-      };
+        }
+        // (optionalAttrs (cfg.editKeyFile != null) {
+          EDIT_KEY = "/$CREDENTIALS_DIRECTORY/edit_key";
+        })
+        // (optionalAttrs (cfg.uploadKeyFile != null) {
+          UPLOAD_KEY = "/$CREDENTIALS_DIRECTORY/upload_key";
+        })
+        // (optionalAttrs (cfg.accessKeyFile != null) {
+          ACCESS_KEY = "/$CREDENTIALS_DIRECTORY/access_key";
+        });
      user = "demostf";
      group = "demostf";
    };

    systemd.services.phpfpm-demostf-api.serviceConfig = {
-      EnvironmentFile = cfg.keyFile;
+      User = "demostf";
+      AmbientCapabilities = "CAP_CHOWN";
+      NoNewPrivileges = true;
+      LoadCredential =
+        (optionals (cfg.editKeyFile != null) [
+          "edit_key:${cfg.editKeyFile}"
+        ])
+        ++ (optionals (cfg.uploadKeyFile != null) [
+          "upload_key:${cfg.uploadKeyFile}"
+        ])
+        ++ (optionals (cfg.accessKeyFile != null) [
+          "access_key:${cfg.accessKeyFile}"
+        ]);
    };

    services.prometheus.exporters.php-fpm = {
--- a/src/init.php
+++ b/src/init.php
@ -15,6 +15,7 @@ $autoloader = require __DIR__ . '/../vendor/autoload.php';

 function getEnvVar(string $name): string {
    $var = getenv($name) ?: '';
+    error_log("$name='$var'");
    if (str_contains($var, '$CREDENTIALS_DIRECTORY')) {
        $credentialsDirectory = getenv('CREDENTIALS_DIRECTORY') ?: '';
        $path = str_replace('$CREDENTIALS_DIRECTORY', $credentialsDirectory, $var);
@ -58,7 +59,7 @@ $storeRoot = getEnvVar('DEMO_ROOT');
 $storeHost = getEnvVar('DEMO_HOST');
 $parserPath = getEnvVar('PARSER_PATH');
 $appRoot = getEnvVar('APP_ROOT');
-$editKey = getEnvVar('EDIT_SECRET');
+$editKey = getEnvVar('EDIT_KEY');
 $uploadKey = getEnvVar('UPLOAD_KEY');
 $accessKey = getEnvVar('ACCESS_KEY');

--- a/test/Integration/Tests.js
+++ b/test/Integration/Tests.js
@ -15,7 +15,7 @@ chakram.setRequestDefaults({baseUrl: root});

 before((done) => {
 	console.log('spawn server');
-	const server = require('child_process').spawn('php', ['-S', '0.0.0.0:8000', 'router.php'], {
+	const server = require('child_process').spawn('php', ['-d', 'post_max_size=100M', '-S', '0.0.0.0:8000', 'router.php'], {
 		cwd: __dirname + '/../',
 		env: process.env
 	});