separate key files for module

icewind1991 · icewind1991 · commit 0c4f8e9922ee · 2025-05-19T21:36:32.000+02:00
diff --git a/nix/integration-tests.nix b/nix/integration-tests.nix
@@ -85,7 +85,6 @@
           "pm.max_spare_servers" = "15";
           "catch_workers_output" = "yes";
           "listen.owner" = "nginx";
-          "listen.group" = "nginx";
         };
         phpEnv = {
           BASE_HOST = "demos.tf";
@@ -97,12 +96,20 @@
           DB_DATABASE = "demostf";
           DB_USERNAME = "demostf";
           APP_ROOT = "http://localhost";
-          EDIT_SECRET = "edit";
+          EDIT_KEY = "/$CREDENTIALS_DIRECTORY/edit_key";
           PARSER_PATH = lib.getExe pkgs.demostf-parser;
         };
         user = "demostf";
         group = "demostf";
       };
+      systemd.services.phpfpm-demostf-api.serviceConfig = {
+        User = "demostf";
+        AmbientCapabilities = "CAP_CHOWN";
+        NoNewPrivileges = true;
+        LoadCredential = [
+          "edit_key:${pkgs.writeText "edit-key.conf" "edit"}"
+        ];
+      };
     };
   };
 
diff --git a/nix/module.nix b/nix/module.nix
@@ -4,6 +4,7 @@
   lib,
   ...
 }: let
+  inherit (lib) optionals optionalAttrs;
   cfg = config.services.demostf.api;
   fpmCfg = config.services.phpfpm.pools.demostf-api;
   exporterCfg = config.services.prometheus.exporters.php-fpm;
@@ -45,9 +46,20 @@ in {
         type = types.str;
         description = "path the demos are stored";
       };
-      keyFile = mkOption {
-        type = types.str;
-        description = "path containing key environment variables";
+      editKeyFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "path containing edit key environment variables";
+      };
+      uploadKeyFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "path containing upload key environment variables";
+      };
+      accessKeyFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "path containing access key environment variables";
       };
     };
   };
@@ -99,24 +111,46 @@ in {
         "listen.owner" = "nginx";
         "listen.group" = "nginx";
       };
-      phpEnv = {
-        BASE_HOST = cfg.baseDomain;
-        DEMO_ROOT = cfg.demoRoot;
-        DEMO_HOST = cfg.hostDomain;
-        DB_TYPE = "pgsql";
-        DB_HOST = "/run/postgresql";
-        DB_PORT = "5432";
-        DB_DATABASE = "demostf";
-        DB_USERNAME = "demostf";
-        APP_ROOT = "https://${cfg.apiDomain}";
-        PARSER_PATH = "${pkgs.demostf-parser}/bin/parse_demo";
-      };
+      phpEnv =
+        {
+          BASE_HOST = cfg.baseDomain;
+          DEMO_ROOT = cfg.demoRoot;
+          DEMO_HOST = cfg.hostDomain;
+          DB_TYPE = "pgsql";
+          DB_HOST = "/run/postgresql";
+          DB_PORT = "5432";
+          DB_DATABASE = "demostf";
+          DB_USERNAME = "demostf";
+          APP_ROOT = "https://${cfg.apiDomain}";
+          PARSER_PATH = "${pkgs.demostf-parser}/bin/parse_demo";
+        }
+        // (optionalAttrs (cfg.editKeyFile != null) {
+          EDIT_KEY = "/$CREDENTIALS_DIRECTORY/edit_key";
+        })
+        // (optionalAttrs (cfg.uploadKeyFile != null) {
+          UPLOAD_KEY = "/$CREDENTIALS_DIRECTORY/upload_key";
+        })
+        // (optionalAttrs (cfg.accessKeyFile != null) {
+          ACCESS_KEY = "/$CREDENTIALS_DIRECTORY/access_key";
+        });
       user = "demostf";
       group = "demostf";
     };
 
     systemd.services.phpfpm-demostf-api.serviceConfig = {
-      EnvironmentFile = cfg.keyFile;
+      User = "demostf";
+      AmbientCapabilities = "CAP_CHOWN";
+      NoNewPrivileges = true;
+      LoadCredential =
+        (optionals (cfg.editKeyFile != null) [
+          "edit_key:${cfg.editKeyFile}"
+        ])
+        ++ (optionals (cfg.uploadKeyFile != null) [
+          "upload_key:${cfg.uploadKeyFile}"
+        ])
+        ++ (optionals (cfg.accessKeyFile != null) [
+          "access_key:${cfg.accessKeyFile}"
+        ]);
     };
 
     services.prometheus.exporters.php-fpm = {
diff --git a/src/init.php b/src/init.php
@@ -15,6 +15,7 @@ function get_magic_quotes_gpc(): bool {
 
 function getEnvVar(string $name): string {
     $var = getenv($name) ?: '';
+    error_log("$name='$var'");
     if (str_contains($var, '$CREDENTIALS_DIRECTORY')) {
         $credentialsDirectory = getenv('CREDENTIALS_DIRECTORY') ?: '';
         $path = str_replace('$CREDENTIALS_DIRECTORY', $credentialsDirectory, $var);
@@ -58,7 +59,7 @@ function getEnvVar(string $name): string {
 $storeHost = getEnvVar('DEMO_HOST');
 $parserPath = getEnvVar('PARSER_PATH');
 $appRoot = getEnvVar('APP_ROOT');
-$editKey = getEnvVar('EDIT_SECRET');
+$editKey = getEnvVar('EDIT_KEY');
 $uploadKey = getEnvVar('UPLOAD_KEY');
 $accessKey = getEnvVar('ACCESS_KEY');
 
diff --git a/test/Integration/Tests.js b/test/Integration/Tests.js
@@ -15,7 +15,7 @@ chakram.setRequestDefaults({baseUrl: root});
 
 before((done) => {
 	console.log('spawn server');
-	const server = require('child_process').spawn('php', ['-S', '0.0.0.0:8000', 'router.php'], {
+	const server = require('child_process').spawn('php', ['-d', 'post_max_size=100M', '-S', '0.0.0.0:8000', 'router.php'], {
 		cwd: __dirname + '/../',
 		env: process.env
 	});
