sneak/pixa
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Require signing_key at startup, add default config

Browse Source 
- Add config validation: signing_key required, minimum 32 characters
- Server now fails to start without valid signing_key (no more runtime errors)
- Add config.example.yml with default whitelist hosts
- Copy config to /etc/pixa/config.yml in Docker image
- Update entrypoint to use --config /etc/pixa/config.yml
- Add config.dev.yml for local Docker development
- Mount dev config in make devserver
This commit is contained in:
Jeffrey Paul
2026-01-08 15:48:37 -08:00
parent d2e2e319be
commit 02dedd433b
5 changed files with 49 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
Dockerfile
View File

@@ -35,14 +35,17 @@ RUN apk add --no-cache \
# Copy binary from builder # Copy binary from builder
COPY --from=builder /pixad /usr/local/bin/pixad COPY --from=builder /pixad /usr/local/bin/pixad
# Create non-root user and data directory # Create non-root user, config directory, and data directory
RUN adduser -D -H -s /sbin/nologin pixad && \ RUN adduser -D -H -s /sbin/nologin pixad && \
mkdir -p /var/lib/pixa && \ mkdir -p /var/lib/pixa /etc/pixa && \
chown pixad:pixad /var/lib/pixa chown pixad:pixad /var/lib/pixa
# Copy default config (edit signing_key before use)
COPY config.example.yml /etc/pixa/config.yml
USER pixad USER pixad
WORKDIR /var/lib/pixa WORKDIR /var/lib/pixa
EXPOSE 8080 EXPOSE 8080
ENTRYPOINT ["/usr/local/bin/pixad"] ENTRYPOINT ["/usr/local/bin/pixad", "--config", "/etc/pixa/config.yml"]

4
Makefile
View File

@@ -49,7 +49,9 @@ docker-test:
# Run local dev server in Docker # Run local dev server in Docker
devserver: docker devserver-stop devserver: docker devserver-stop
docker run -d --name pixad-dev -p 8080:8080 pixad:latest docker run -d --name pixad-dev -p 8080:8080 \
-v $(CURDIR)/config.dev.yml:/etc/pixa/config.yml:ro \
pixad:latest
@echo "pixad running at http://localhost:8080" @echo "pixad running at http://localhost:8080"
# Stop dev server # Stop dev server

7
config.dev.yml Normal file
View File

@@ -0,0 +1,7 @@
# Development config for local Docker testing
signing_key: "dev-signing-key-minimum-32-chars!"
debug: true
allow_http: true
whitelist_hosts:
- localhost
- s3.sneak.cloud

13
config.example.yml Normal file
View File

@@ -0,0 +1,13 @@
# Pixa configuration
#
# REQUIRED: Set signing_key before starting the server.
# Generate with: openssl rand -base64 32
signing_key: "CHANGE_ME_generate_with_openssl_rand_base64_32"
whitelist_hosts:
- s3.sneak.cloud
- static.sneak.cloud
- sneak.berlin
- github.com
- user-images.githubusercontent.com

20
internal/config/config.go
View File

@@ -84,9 +84,29 @@ func New(_ fx.Lifecycle, params Params) (*Config, error) {
params.Logger.EnableDebugLogging() params.Logger.EnableDebugLogging()
} }
// Validate required configuration
if err := c.validate(); err != nil {
return nil, err
}
return c, nil return c, nil
} }
// validate checks that all required configuration values are set.
func (c *Config) validate() error {
if c.SigningKey == "" {
return fmt.Errorf("signing_key is required")
}
// Minimum key length for security (32 bytes = 256 bits)
const minKeyLength = 32
if len(c.SigningKey) < minKeyLength {
return fmt.Errorf("signing_key must be at least %d characters", minKeyLength)
}
return nil
}
// loadConfigFile loads configuration from PIXA_CONFIG_PATH env var or standard locations. // loadConfigFile loads configuration from PIXA_CONFIG_PATH env var or standard locations.
func loadConfigFile(log *slog.Logger, appName string) (*smartconfig.Config, error) { func loadConfigFile(log *slog.Logger, appName string) (*smartconfig.Config, error) {
// Check for explicit config path from environment // Check for explicit config path from environment