From f813682d3341613fa28493ff85deb66933dd5068 Mon Sep 17 00:00:00 2001 From: Denis Lehmann Date: Sun, 12 Jun 2022 12:07:31 +0200 Subject: [PATCH] use path for secret key --- README.org | 32 ++++++++++++++++---------------- flake.nix | 9 ++++++--- raincloud/raincloud.py | 8 ++++++-- 3 files changed, 28 insertions(+), 21 deletions(-) diff --git a/README.org b/README.org index 96431e5..2883f6f 100644 --- a/README.org +++ b/README.org @@ -50,7 +50,7 @@ First set up a [[https://redis.io/][Redis]] server which will be used for server-side session caching. Then a WSGI server like [[https://gunicorn.org/][Gunicorn]] can be used to serve /raincloud/ for example like this: - : $ gunicorn "raincloud:create_app(base_path='public', secret_key='i_am_a_key', redis_url='redis://127.0.0.1:6379/0')" + : $ gunicorn "raincloud:create_app(base_path='public', secret_key_path='secret_key', redis_url='redis://127.0.0.1:6379/0')" *** NixOS @@ -71,7 +71,7 @@ services.raincloud = { enable = true; basePath = "/var/lib/raincloud"; - secretKey = "i_am_a_key"; + secretKeyPath = "/var/lib/raincloud/secret_key"; redisUrl = "unix:/run/redis-raincloud/redis.sock"; }; } @@ -79,18 +79,18 @@ All configuration options are: - | Option | Description | Type | Default value | Example | - |-----------------+---------------------------------------------------------------+-------+----------------------------+-------------------------------| - | =address= | Bind address of the server | =str= | =127.0.0.1= | =0.0.0.0= | - | =port= | Port on which the server listens | =int= | =8000= | =5000= | - | =user= | User under which the server runs | =str= | =raincloud= | =alice= | - | =group= | Group under which the server runs | =str= | =raincloud= | =users= | - | =cloudName= | Name of the raincloud | =str= | =raincloud= | =bobsCloud= | - | =basePath= | Base path of the raincloud | =str= | | =/var/lib/raincloud= | - | =secretKey= | Flask secret key | =str= | | =i_am_a_key= | - | =redisUrl= | URL of Redis database | =str= | =redis://127.0.0.1:6379/0= | =redis://my_db_server:6379/0= | - | =numWorkers= | Number of Gunicorn workers (recommendation is: 2 x #CPUs + 1) | =int= | =5= | =17= | - | =workerTimeout= | Gunicorn worker timeout | =int= | =300= | =360= | + | Option | Description | Type | Default value | Example | + |-----------------+---------------------------------------------------------------+-------+----------------------------+----------------------------------------| + | =address= | Bind address of the server | =str= | =127.0.0.1= | =0.0.0.0= | + | =port= | Port on which the server listens | =int= | =8000= | =5000= | + | =user= | User under which the server runs | =str= | =raincloud= | =alice= | + | =group= | Group under which the server runs | =str= | =raincloud= | =users= | + | =cloudName= | Name of the raincloud | =str= | =raincloud= | =bobsCloud= | + | =basePath= | Base path of the raincloud | =str= | | =/var/lib/raincloud= | + | =secretKeyPath= | Path to file containing Flask secret key | =str= | | =/var/lib/raincloud/secret_key= | + | =redisUrl= | URL of Redis database | =str= | =redis://127.0.0.1:6379/0= | =unix:/run/redis-raincloud/redis.sock= | + | =numWorkers= | Number of Gunicorn workers (recommendation is: 2 x #CPUs + 1) | =int= | =5= | =17= | + | =workerTimeout= | Gunicorn worker timeout | =int= | =300= | =360= | *** Docker @@ -116,12 +116,12 @@ /raincloud/ provides four configuration options which can be passed to =raincloud.create_app()=: - =base_path= :: Base path of the raincloud - - =secret_key= :: Flask secret key + - =secret_key_path= :: Path to file containing Flask secret key - =redis_url= :: URL of redis database (default: =redis://127.0.0.1:6379/0=) - =cloud_name= :: Cloud name (default: =raincloud=) Set them for example like this: - : >>> app = raincloud.create_app(base_path='/home/alice/public', secret_key='i_am_a_key', redis_url='redis://127.0.0.1:6379/0', cloud_name='raincloud') + : >>> app = raincloud.create_app(base_path='/home/alice/public', secret_key_path='/var/lib/raincloud/secret_key', redis_url='redis://127.0.0.1:6379/0', cloud_name='raincloud') *** =rc.conf= :properties: diff --git a/flake.nix b/flake.nix index f6f81a1..e629ca6 100644 --- a/flake.nix +++ b/flake.nix @@ -59,17 +59,20 @@ basePath = mkOption { type = types.str; + example = "/var/lib/raincloud" description = "Base path of the raincloud"; }; - secretKey = mkOption { + secretKeyPath = mkOption { type = types.str; - description = "Flask secret key"; + example = "/var/lib/raincloud/secret_key"; + description = "Path to file containing Flask secret key"; }; redisUrl = mkOption { type = types.str; default = "redis://127.0.0.1:6379/0"; + example = "unix:/run/redis-raincloud/redis.sock"; description = "URL of Redis database"; }; @@ -115,7 +118,7 @@ PermissionsStartOnly = true; ExecStart = '' - ${gunicorn}/bin/gunicorn "raincloud:create_app('${cfg.basePath}', '${cfg.secretKey}', '${cfg.redisUrl}', '${cfg.cloudName}')" \ + ${gunicorn}/bin/gunicorn "raincloud:create_app('${cfg.basePath}', '${cfg.secretKeyPath}', '${cfg.redisUrl}', '${cfg.cloudName}')" \ --workers ${toString cfg.numWorkers} \ --timeout ${toString cfg.workerTimeout} \ --bind=${cfg.address}:${toString cfg.port} diff --git a/raincloud/raincloud.py b/raincloud/raincloud.py index aa06bf6..7938e7f 100755 --- a/raincloud/raincloud.py +++ b/raincloud/raincloud.py @@ -18,12 +18,16 @@ import werkzeug def create_app( - base_path, secret_key, redis_url="redis://127.0.0.1:6379/0", cloud_name="raincloud" + base_path, + secret_key_path, + redis_url="redis://127.0.0.1:6379/0", + cloud_name="raincloud", ): # Create app app = Flask(__name__) - app.config["SECRET_KEY"] = secret_key + with open(secret_key_path, "r") as secret_key_file: + app.config["SECRET_KEY"] = secret_key_file.readline() # Create handlers dh = DirectoryHandler(base_path)