Merge pull request #34 from go-bazzinga/fix-env-setup

secrets will remain in memory and other args will be baked with container.
secrets will be passed from github secrets to fly secrets and will be available via fly host (encrypted) and decrypted inside container at runtime.

.github/workflows/deploy-to-production-on-merge-to-main.yaml

@@ -34,24 +34,11 @@ jobs:
           LEPTOS_BIN_TARGET_TRIPLE: x86_64-unknown-linux-gnu
         run: cargo leptos build --release
       - uses: superfly/flyctl-actions/setup-flyctl@master
-      - name: config setup
-        run: |
-          echo auth_ic_url = \"https://ic0.app\" > AuthConfig.toml
-          echo auth_sign_key = \"$AUTH_SIGN_KEY\" >> AuthConfig.toml
-          echo cloudflare_namespace_identifier = \"$CLOUDFLARE_NAMESPACE_IDENTIFIER\" >> AuthConfig.toml
-          echo cloudflare_api_token = \"$CLOUDFLARE_API_TOKEN\" >> AuthConfig.toml
-          echo cloudflare_account_identifier = \"$CLOUDFLARE_ACCOUNT_IDENTIFIER\" >> AuthConfig.toml
-          echo google_client_id = \"$GOOGLE_CLIENT_ID\" >> AuthConfig.toml
-          echo google_client_secret = \"$GOOGLE_CLIENT_SECRET\" >> AuthConfig.toml
-          echo google_auth_landing_url = \"https://hot-or-not-auth.fly.dev/google_oauth2_response\" >> AuthConfig.toml
-        env:
-          AUTH_SIGN_KEY: ${{ secrets.AUTH_SESSION_COOKIE_SIGNING_SECRET_KEY }}
-          CLOUDFLARE_NAMESPACE_IDENTIFIER: ${{ secrets.CLOUDFLARE_WORKERS_KV_NAMESPACE_ID }}
-          CLOUDFLARE_ACCOUNT_IDENTIFIER: ${{ secrets.CLOUDFLARE_WORKERS_KV_ACCOUNT_ID }}
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_WORKERS_API_SECRET }}
-          GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_SIGNING_OAUTH_CLIENT_CREDENTIAL_CLIENT_ID }}
-          GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_SIGNING_OAUTH_CLIENT_CREDENTIAL_CLIENT_SECRET }}
       - name: Deploy a docker container to Fly.io
         env:
           FLY_API_TOKEN: ${{ secrets.HOT_OR_NOT_AUTH_FLY_IO_GITHUB_ACTION }}
-        run: flyctl deploy --remote-only
+        run: |
+          flyctl secrets set AUTH_SIGN_KEY=${{ secrets.AUTH_SESSION_COOKIE_SIGNING_SECRET_KEY }}
+          flyctl secrets set CLOUDFLARE_API_TOKEN=${{ secrets.CLOUDFLARE_WORKERS_API_SECRET }}
+          flyctl secrets set GOOGLE_CLIENT_SECRET=${{ secrets.GOOGLE_SIGNING_OAUTH_CLIENT_CREDENTIAL_CLIENT_SECRET }}
+          flyctl deploy --remote-only --build-arg CLOUDFLARE_ACCOUNT_IDENTIFIER=${{ secrets.CLOUDFLARE_WORKERS_KV_ACCOUNT_ID }} --build-arg CLOUDFLARE_NAMESPACE_IDENTIFIER=${{ secrets.CLOUDFLARE_WORKERS_KV_NAMESPACE_ID }} --build-arg GOOGLE_CLIENT_ID=${{ secrets.GOOGLE_SIGNING_OAUTH_CLIENT_CREDENTIAL_CLIENT_ID }}

AuthConfig.toml

@@ -4,10 +4,10 @@ auth_sign_key = ""
 
 # cloudflare_configs
 cloudflare_account_identifier = ""
-cloudflare_namespace_identifier = ""
 cloudflare_api_token = ""
+cloudflare_namespace_identifier = ""
 
 # oauth_configs
+google_auth_landing_url = "http://localhost:3000/google_oauth2_response"
 google_client_id = ""
 google_client_secret = ""
-google_auth_landing_url = "http://localhost:3000/google_oauth2_response"

Dockerfile

@@ -6,6 +6,14 @@ COPY ./target/x86_64-unknown-linux-gnu/release/hot-or-not-auth .
 COPY ./target/site ./site
 COPY ./AuthConfig.toml .
 
+ARG CLOUDFLARE_ACCOUNT_IDENTIFIER
+ARG CLOUDFLARE_NAMESPACE_IDENTIFIER
+ARG GOOGLE_CLIENT_ID
+
+ENV CLOUDFLARE_ACCOUNT_IDENTIFIER=$CLOUDFLARE_ACCOUNT_IDENTIFIER
+ENV CLOUDFLARE_NAMESPACE_IDENTIFIER=$CLOUDFLARE_NAMESPACE_IDENTIFIER
+ENV GOOGLE_CLIENT_ID=$GOOGLE_CLIENT_ID
+
 ENV LEPTOS_SITE_ROOT="site"
 ENV LEPTOS_ENV="PROD"
 ENV LEPTOS_SITE_ADDR="0.0.0.0:3000"

src/init.rs

@@ -23,8 +23,7 @@ pub fn logging() {
 pub fn configure() -> AuthConfig {
     let config: AuthConfig = Figment::new()
         .merge(Toml::file("AuthConfig.toml"))
-        .merge(Env::prefixed("AUTH_"))
-        .merge(Env::prefixed("CLOUDFLARE_"))
+        .merge(Env::raw())
         .extract()
         .unwrap();
     config