chore(secrets): load API key, connection strings, and AuthBlocks via CredentialTools across all three hosts; strip secret placeholders from appsettings.json

This commit is contained in:
Daniel Harvey
2026-05-18 17:35:29 -04:00
parent 12c4046965
commit fc9bc3d607
5 changed files with 27 additions and 15 deletions
+5 -1
View File
@@ -9,11 +9,15 @@ using DeepDrftContent.Services.FileDatabase.Services;
using DeepDrftContent.Services.Processors;
using DeepDrftCli.Services;
using DeepDrftCli.Models;
using NetBlocks.Utilities.Environment;
var builder = Host.CreateApplicationBuilder(args);
// Load configuration from environment/config.json
builder.Configuration.AddJsonFile($"{AppDomain.CurrentDomain.BaseDirectory}environment/connections.json", optional: false, reloadOnChange: true);
var connectionsPath = CredentialTools.ResolvePathOrThrow(
"connections",
Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "environment", "connections.json"));
builder.Configuration.AddJsonFile(connectionsPath, optional: false, reloadOnChange: false);
var cliSettings = builder.Configuration.GetSection(nameof(CliSettings)).Get<CliSettings>();
if (cliSettings is null) { throw new Exception("CLI settings are not configured"); }
+4 -2
View File
@@ -3,6 +3,7 @@ using DeepDrftContent.Services.FileDatabase.Services;
using DeepDrftContent.Middleware;
using DeepDrftContent.Models;
using Microsoft.AspNetCore.HttpOverrides;
using NetBlocks.Utilities.Environment;
var builder = WebApplication.CreateBuilder(args);
@@ -31,8 +32,9 @@ builder.Services.AddCors(options =>
});
});
// Load API key configuration
builder.Configuration.AddJsonFile("environment/apikey.json", optional: false, reloadOnChange: true);
// Load API key via CredentialTools (dev: environment/apikey.json; prod: CREDENTIALS_DIRECTORY/apikey)
var apiKeyPath = CredentialTools.ResolvePathOrThrow("apikey", "environment/apikey.json");
builder.Configuration.AddJsonFile(apiKeyPath, optional: false, reloadOnChange: false);
var apiKeySettings = builder.Configuration.GetSection(nameof(ApiKeySettings)).Get<ApiKeySettings>();
if (apiKeySettings is null) { throw new Exception("API key settings are not configured"); }
+3 -1
View File
@@ -6,6 +6,7 @@ using DeepDrftContent.Services.FileDatabase.Services;
using DeepDrftContent.Services.Processors;
using DeepDrftContent.Models;
using Microsoft.Extensions.Logging;
using NetBlocks.Utilities.Environment;
namespace DeepDrftContent
{
@@ -19,7 +20,8 @@ namespace DeepDrftContent
builder.Services.AddSingleton<TrackService>();
// File Database
builder.Configuration.AddJsonFile("environment/filedatabase.json", optional: false, reloadOnChange: true);
var fileDatabasePath = CredentialTools.ResolvePathOrThrow("filedatabase", "environment/filedatabase.json");
builder.Configuration.AddJsonFile(fileDatabasePath, optional: false, reloadOnChange: false);
var fileDatabaseSettings = builder.Configuration.GetSection(nameof(FileDatabaseSettings)).Get<FileDatabaseSettings>();
if (fileDatabaseSettings is null) { throw new Exception("File database settings are not configured"); }
+15 -5
View File
@@ -5,6 +5,7 @@ using DeepDrftWeb;
using MudBlazor.Services;
using DeepDrftWeb.Components;
using Microsoft.AspNetCore.HttpOverrides;
using NetBlocks.Utilities.Environment;
var builder = WebApplication.CreateBuilder(args);
@@ -13,11 +14,20 @@ builder.Services.AddMudServices();
builder.Services.AddCmsServices();
// CMS → DeepDrftContent calls require the DeepDrftContent ApiKey. Loaded from a
// gitignored environment file, same shape as DeepDrftContent/environment/apikey.json.
// Optional so the file's absence in non-CMS dev does not fail boot; missing key is
// surfaced when Startup.ConfigureDomainServices binds the CMS HttpClient.
builder.Configuration.AddJsonFile("environment/apikey.json", optional: true, reloadOnChange: true);
// Required credential files — must exist before the app will start.
// In dev: create the three files under DeepDrftWeb/environment/ (gitignored).
// In prod: systemd CREDENTIALS_DIRECTORY points to encrypted credential blobs.
// - environment/apikey.json: { "DeepDrftContent": { "ApiKey": "..." } }
// - environment/connections.json: { "ConnectionStrings": { "DefaultConnection": "...", "Auth": "..." } }
// - environment/authblocks.json: { "AuthBlocks": { "Jwt": {...}, "Email": {...}, "Admin": {...} } }
var apiKeyPath = CredentialTools.ResolvePathOrThrow("apikey", "environment/apikey.json");
builder.Configuration.AddJsonFile(apiKeyPath, optional: false, reloadOnChange: false);
var connectionsPath = CredentialTools.ResolvePathOrThrow("connections", "environment/connections.json");
builder.Configuration.AddJsonFile(connectionsPath, optional: false, reloadOnChange: false);
var authBlocksPath = CredentialTools.ResolvePathOrThrow("authblocks", "environment/authblocks.json");
builder.Configuration.AddJsonFile(authBlocksPath, optional: false, reloadOnChange: false);
var baseUrl = builder.GetKestrelUrl();
var contentApiUrl = builder.Configuration["ApiUrls:ContentApi"] ?? throw new Exception("Content API URL is not configured");
-6
View File
@@ -6,15 +6,9 @@
}
},
"AllowedHosts": "*",
"ConnectionStrings": {
"DefaultConnection": "Host=localhost;Port=5433;Database=postgres;Username=postgres;Password=REPLACE_IN_ENV"
},
"ApiUrls": {
"ContentApi": "http://localhost:12777/"
},
"DeepDrftContent": {
"ApiKey": "REPLACE_IN_ENV"
},
"ForwardedHeaders": {
"DisableHttpsRedirection": "true"
}