dynamic generation of jwt

dispatcharr/settings.py

@@ -4,7 +4,7 @@ from datetime import timedelta
 
 BASE_DIR = Path(__file__).resolve().parent.parent
 
-SECRET_KEY = "REPLACE_ME_WITH_A_REAL_SECRET"
+SECRET_KEY = os.environ.get("DJANGO_SECRET_KEY")
 REDIS_HOST = os.environ.get("REDIS_HOST", "localhost")
 REDIS_DB = os.environ.get("REDIS_DB", "0")
 

docker/entrypoint.sh

@@ -40,6 +40,7 @@ export REDIS_DB=${REDIS_DB:-0}
 export DISPATCHARR_PORT=${DISPATCHARR_PORT:-9191}
 export LIBVA_DRIVERS_PATH='/usr/local/lib/x86_64-linux-gnu/dri'
 export LD_LIBRARY_PATH='/usr/local/lib'
+export SECRET_FILE="/data/jwt"
 
 # Process priority configuration
 # UWSGI_NICE_LEVEL: Absolute nice value for uWSGI/streaming (default: 0 = normal priority)
@@ -128,6 +129,8 @@ echo "Setting up PostgreSQL..."
 echo "Starting init process..."
 . /app/docker/init/03-init-dispatcharr.sh
 
+export DJANGO_SECRET_KEY="$(cat "$SECRET_FILE")"
+
 # Start PostgreSQL
 echo "Starting Postgres..."
 su - postgres -c "$PG_BINDIR/pg_ctl -D ${POSTGRES_DIR} start -w -t 300 -o '-c port=${POSTGRES_PORT}'"

docker/init/03-init-dispatcharr.sh

@@ -30,6 +30,21 @@ if [ "$(id -u)" = "0" ] && [ -d "/app" ]; then
     fi
 fi
 
+if [ ! -f "$SECRET_FILE" ]; then
+  umask 077
+  tmpfile="$(mktemp "${SECRET_FILE}.XXXXXX")" || { echo "mktemp failed"; exit 1; }
+  python3 - <<'PY' >"$tmpfile" || { echo "secret generation failed"; rm -f "$tmpfile"; exit 1; }
+import secrets
+print(secrets.token_urlsafe(64))
+PY
+  mv -f "$tmpfile" "$SECRET_FILE" || { echo "move failed"; rm -f "$tmpfile"; exit 1; }
+fi
+
+chmod 600 "$SECRET_FILE" || true
+
+# Export for app start (read the file)
+export DJANGO_SECRET_KEY="$(cat "$SECRET_FILE")"
+
 sed -i "s/NGINX_PORT/${DISPATCHARR_PORT}/g" /etc/nginx/sites-enabled/default
 
 # NOTE: mac doesn't run as root, so only manage permissions
@@ -64,4 +79,4 @@ if [ "$(id -u)" = "0" ]; then
     fi
 
     chmod +x /data
-fi
+fi