Pull secrets from env vars

2026-02-03 16:43:45 +00:00 · 2026-02-02 21:39:18 -08:00
parent f5f757e4bd
commit bf5dd3b0a1
5 changed files with 33 additions and 38 deletions
--- a/server/lib/getEnvOrYaml.ts
+++ b/server/lib/getEnvOrYaml.ts
@@ -0,0 +1,3 @@
+export const getEnvOrYaml = (envVar: string) => (valFromYaml: any) => {
+    return process.env[envVar] ?? valFromYaml;
+};
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -3,13 +3,10 @@ import yaml from "js-yaml";
 import { configFilePath1, configFilePath2 } from "./consts";
 import { z } from "zod";
 import stoi from "./stoi";
+import { getEnvOrYaml } from "./getEnvOrYaml";

 const portSchema = z.number().positive().gt(0).lte(65535);

-const getEnvOrYaml = (envVar: string) => (valFromYaml: any) => {
-    return process.env[envVar] ?? valFromYaml;
-};
-
 export const configSchema = z
    .object({
        app: z
@@ -311,7 +308,10 @@ export const configSchema = z
            .object({
                smtp_host: z.string().optional(),
                smtp_port: portSchema.optional(),
-                smtp_user: z.string().optional(),
+                smtp_user: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("EMAIL_SMTP_USER")),
                smtp_pass: z
                    .string()
                    .optional()
--- a/server/private/lib/certificates.ts
+++ b/server/private/lib/certificates.ts
@@ -19,7 +19,6 @@ import * as fs from "fs";
 import logger from "@server/logger";
 import cache from "@server/lib/cache";

-let encryptionKeyPath = "";
 let encryptionKeyHex = "";
 let encryptionKey: Buffer;
 function loadEncryptData() {
@@ -27,15 +26,7 @@ function loadEncryptData() {
        return; // already loaded
    }

-    encryptionKeyPath = config.getRawPrivateConfig().server.encryption_key_path;
-
-    if (!fs.existsSync(encryptionKeyPath)) {
-        throw new Error(
-            "Encryption key file not found. Please generate one first."
-        );
-    }
-
-    encryptionKeyHex = fs.readFileSync(encryptionKeyPath, "utf8").trim();
+    encryptionKeyHex = config.getRawPrivateConfig().server.encryption_key;
    encryptionKey = Buffer.from(encryptionKeyHex, "hex");
 }

--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -17,6 +17,7 @@ import { privateConfigFilePath1 } from "@server/lib/consts";
 import { z } from "zod";
 import { colorsSchema } from "@server/lib/colorsSchema";
 import { build } from "@server/build";
+import { getEnvOrYaml } from "@server/lib/getEnvOrYaml";

 const portSchema = z.number().positive().gt(0).lte(65535);

@@ -32,19 +33,25 @@ export const privateConfigSchema = z.object({
        }),
    server: z
        .object({
-            encryption_key_path: z
+            encryption_key: z
                .string()
                .optional()
-                .default("./config/encryption.pem")
-                .pipe(z.string().min(8)),
-            resend_api_key: z.string().optional(),
-            reo_client_id: z.string().optional(),
-            fossorial_api_key: z.string().optional()
+                .transform(getEnvOrYaml("SERVER_ENCRYPTION_KEY")),
+            resend_api_key: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("RESEND_API_KEY")),
+            reo_client_id: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("REO_CLIENT_ID")),
+            fossorial_api_key: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("FOSSORIAL_API_KEY"))
        })
        .optional()
-        .default({
-            encryption_key_path: "./config/encryption.pem"
-        }),
+        .prefault({}),
    redis: z
        .object({
            host: z.string(),
@@ -157,8 +164,11 @@ export const privateConfigSchema = z.object({
        .optional(),
    stripe: z
        .object({
-            secret_key: z.string(),
-            webhook_secret: z.string(),
+            secret_key: z.string().optional().transform(getEnvOrYaml("STRIPE_SECRET_KEY")),
+            webhook_secret: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("STRIPE_WEBHOOK_SECRET")),
            s3Bucket: z.string(),
            s3Region: z.string().default("us-east-1"),
            localFilePath: z.string()
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -186,7 +186,7 @@ export type ResourceWithAuth = {
    password: ResourcePassword | null;
    headerAuth: ResourceHeaderAuth | null;
    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
-    org: Org
+    org: Org;
 };

 export type UserSessionWithUser = {
@@ -270,7 +270,6 @@ hybridRouter.get(
    }
 );

-let encryptionKeyPath = "";
 let encryptionKeyHex = "";
 let encryptionKey: Buffer;
 function loadEncryptData() {
@@ -278,16 +277,8 @@ function loadEncryptData() {
        return; // already loaded
    }

-    encryptionKeyPath =
-        privateConfig.getRawPrivateConfig().server.encryption_key_path;
-
-    if (!fs.existsSync(encryptionKeyPath)) {
-        throw new Error(
-            "Encryption key file not found. Please generate one first."
-        );
-    }
-
-    encryptionKeyHex = fs.readFileSync(encryptionKeyPath, "utf8").trim();
+    encryptionKeyHex =
+        privateConfig.getRawPrivateConfig().server.encryption_key;
    encryptionKey = Buffer.from(encryptionKeyHex, "hex");
 }