From 540e456704217281da06690045cfc29964e2b93a Mon Sep 17 00:00:00 2001
From: forehalo <forehalo@gmail.com>
Date: Thu, 21 Mar 2024 10:09:25 +0000
Subject: [PATCH] ci: set private key from env (#6239)

---
 .github/actions/deploy/deploy.mjs             |  2 +-
 .../charts/graphql/templates/_helpers.tpl     | 15 ------------
 .../charts/graphql/templates/deployment.yaml  |  6 ++---
 .../charts/graphql/templates/jwt-secret.yaml  |  7 ------
 .../charts/graphql/templates/secret.yaml      | 18 +++++++++++++++
 .../helm/affine/charts/graphql/values.yaml    |  4 ----
 .../charts/sync/templates/deployment.yaml     |  7 ++++--
 .github/helm/affine/charts/sync/values.yaml   |  1 -
 .github/helm/affine/values.yaml               |  3 +++
 docs/developing-server.md                     |  1 -
 .../server/scripts/self-host-predeploy.js     | 23 +++++++++++++++++++
 .../server/src/fundamentals/config/default.ts |  7 +++---
 tests/affine-cloud/playwright.config.ts       |  1 -
 .../affine-desktop-cloud/playwright.config.ts |  1 -
 14 files changed, 56 insertions(+), 40 deletions(-)
 delete mode 100644 .github/helm/affine/charts/graphql/templates/jwt-secret.yaml
 create mode 100644 .github/helm/affine/charts/graphql/templates/secret.yaml

diff --git a/.github/actions/deploy/deploy.mjs b/.github/actions/deploy/deploy.mjs
index c2fa7608f1..8940592502 100644
--- a/.github/actions/deploy/deploy.mjs
+++ b/.github/actions/deploy/deploy.mjs
@@ -111,7 +111,7 @@ const createHelmCommand = ({ isDryRun }) => {
     `--set-string graphql.app.oauth.google.clientSecret="${AFFINE_GOOGLE_CLIENT_SECRET}"`,
     `--set-string graphql.app.payment.stripe.apiKey="${STRIPE_API_KEY}"`,
     `--set-string graphql.app.payment.stripe.webhookKey="${STRIPE_WEBHOOK_KEY}"`,
-    `--set        graphql.app.experimental.enableJwstCodec=${isInternal}`,
+    `--set        graphql.app.experimental.enableJwstCodec=${namespace === 'dev'}`,
     `--set        graphql.app.features.earlyAccessPreview=false`,
     `--set        graphql.app.features.syncClientVersionCheck=true`,
     `--set        sync.replicaCount=${syncReplicaCount}`,
diff --git a/.github/helm/affine/charts/graphql/templates/_helpers.tpl b/.github/helm/affine/charts/graphql/templates/_helpers.tpl
index 3e9d608e14..ee3254da8e 100644
--- a/.github/helm/affine/charts/graphql/templates/_helpers.tpl
+++ b/.github/helm/affine/charts/graphql/templates/_helpers.tpl
@@ -61,18 +61,3 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
-
-{{- define "jwt.key" -}}
-{{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.app.jwt.secretName -}}
-{{- if and $secret $secret.data.private -}}
-{{/*
-   Reusing existing secret data
-*/}}
-key: {{ $secret.data.private }}
-{{- else -}}
-{{/*
-    Generate new data
-*/}}
-key: {{ genPrivateKey "ecdsa" | b64enc }}
-{{- end -}}
-{{- end -}}
diff --git a/.github/helm/affine/charts/graphql/templates/deployment.yaml b/.github/helm/affine/charts/graphql/templates/deployment.yaml
index 5cc2d61ba1..5553d2f1a6 100644
--- a/.github/helm/affine/charts/graphql/templates/deployment.yaml
+++ b/.github/helm/affine/charts/graphql/templates/deployment.yaml
@@ -28,10 +28,10 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
-          - name: AUTH_PRIVATE_KEY
+          - name: AFFINE_PRIVATE_KEY
             valueFrom:
               secretKeyRef:
-                name: "{{ .Values.app.jwt.secretName }}"
+                name: "{{ .Values.global.secret.secretName }}"
                 key: key
           - name: NODE_ENV
             value: "{{ .Values.env }}"
@@ -45,8 +45,6 @@ spec:
             value: "graphql"
           - name: AFFINE_ENV
             value: "{{ .Release.Namespace }}"
-          - name: NEXTAUTH_URL
-            value: "{{ .Values.global.ingress.host }}"
           - name: DATABASE_PASSWORD
             valueFrom:
               secretKeyRef:
diff --git a/.github/helm/affine/charts/graphql/templates/jwt-secret.yaml b/.github/helm/affine/charts/graphql/templates/jwt-secret.yaml
deleted file mode 100644
index 74d11faecb..0000000000
--- a/.github/helm/affine/charts/graphql/templates/jwt-secret.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "{{ .Values.app.jwt.secretName }}"
-type: Opaque
-data:
-{{- ( include "jwt.key" . ) | indent 2 -}}
diff --git a/.github/helm/affine/charts/graphql/templates/secret.yaml b/.github/helm/affine/charts/graphql/templates/secret.yaml
new file mode 100644
index 0000000000..338f7f1e52
--- /dev/null
+++ b/.github/helm/affine/charts/graphql/templates/secret.yaml
@@ -0,0 +1,18 @@
+{{- $privateKey := default (genPrivateKey "ecdsa") .Values.global.secret.privateKey | b64enc | quote }}
+
+{{- if not .Values.global.secret.privateKey }}
+{{- $existingKey := (lookup "v1" "Secret" .Release.Namespace .Values.global.secret.secretName) }}
+{{- if $existingKey }}
+{{- $privateKey = index $existingKey.data "key" }}
+{{- end -}}
+{{- end -}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.global.secret.secretName }}
+  annotations:
+    "helm.sh/resource-policy": "keep"
+type: Opaque
+data:
+  key: {{ $privateKey }}
diff --git a/.github/helm/affine/charts/graphql/values.yaml b/.github/helm/affine/charts/graphql/values.yaml
index a4f01e653a..f4ca76a970 100644
--- a/.github/helm/affine/charts/graphql/values.yaml
+++ b/.github/helm/affine/charts/graphql/values.yaml
@@ -19,10 +19,6 @@ app:
   https: true
   doc:
     mergeInterval: "3000"
-  jwt:
-    secretName: jwt-private-key
-    # base64 encoded ecdsa private key
-    privateKey: ''
   captcha:
     enable: false
     secretName: captcha
diff --git a/.github/helm/affine/charts/sync/templates/deployment.yaml b/.github/helm/affine/charts/sync/templates/deployment.yaml
index 1952c8b8cf..19c62df680 100644
--- a/.github/helm/affine/charts/sync/templates/deployment.yaml
+++ b/.github/helm/affine/charts/sync/templates/deployment.yaml
@@ -32,6 +32,11 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
+          - name: AFFINE_PRIVATE_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.global.secret.secretName }}"
+                key: key
           - name: NODE_ENV
             value: "{{ .Values.env }}"
           - name: NO_COLOR
@@ -40,8 +45,6 @@ spec:
             value: "affine"
           - name: SERVER_FLAVOR
             value: "sync"
-          - name: NEXTAUTH_URL
-            value: "{{ .Values.global.ingress.host }}"
           - name: AFFINE_ENV
             value: "{{ .Release.Namespace }}"
           - name: DATABASE_PASSWORD
diff --git a/.github/helm/affine/charts/sync/values.yaml b/.github/helm/affine/charts/sync/values.yaml
index 513a512cb2..67c29939b6 100644
--- a/.github/helm/affine/charts/sync/values.yaml
+++ b/.github/helm/affine/charts/sync/values.yaml
@@ -12,7 +12,6 @@ env: 'production'
 app:
   # AFFINE_SERVER_HOST
   host: '0.0.0.0'
-
 serviceAccount:
   create: true
   annotations: {}
diff --git a/.github/helm/affine/values.yaml b/.github/helm/affine/values.yaml
index 7326f7029a..87037a631d 100644
--- a/.github/helm/affine/values.yaml
+++ b/.github/helm/affine/values.yaml
@@ -4,6 +4,9 @@ global:
     className: ''
     host: affine.pro
     tls: []
+  secret:
+    secretName: 'server-private-key'
+    privateKey: ''
   database:
     user: 'postgres'
     url: 'pg-postgresql'
diff --git a/docs/developing-server.md b/docs/developing-server.md
index 9f58a4af46..ad3c364a8c 100644
--- a/docs/developing-server.md
+++ b/docs/developing-server.md
@@ -55,7 +55,6 @@ When logging in via email, you will see the mail arriving at localhost:8025 in a
 
 ```
 DATABASE_URL="postgresql://affine:affine@localhost:5432/affine"
-NEXTAUTH_URL="http://localhost:8080"
 MAILER_SENDER="noreply@toeverything.info"
 MAILER_USER="auth"
 MAILER_PASSWORD="auth"
diff --git a/packages/backend/server/scripts/self-host-predeploy.js b/packages/backend/server/scripts/self-host-predeploy.js
index 6d2cf55749..b5e5d1ff80 100644
--- a/packages/backend/server/scripts/self-host-predeploy.js
+++ b/packages/backend/server/scripts/self-host-predeploy.js
@@ -1,7 +1,10 @@
 import { execSync } from 'node:child_process';
+import { generateKeyPairSync } from 'node:crypto';
 import fs from 'node:fs';
 import path from 'node:path';
 
+import { parse } from 'dotenv';
+
 const SELF_HOST_CONFIG_DIR = '/root/.affine/config';
 /**
  * @type {Array<{ from: string; to?: string, modifier?: (content: string): string }>}
@@ -36,6 +39,26 @@ function prepare() {
         });
       }
     }
+
+    // make the default .env
+    if (to === '.env') {
+      const dotenvFile = fs.readFileSync(targetFilePath, 'utf-8');
+      const envs = parse(dotenvFile);
+      // generate a new private key
+      if (!envs.AFFINE_PRIVATE_KEY) {
+        const privateKey = generateKeyPairSync('ec', {
+          namedCurve: 'prime256v1',
+        }).privateKey.export({
+          type: 'sec1',
+          format: 'pem',
+        });
+
+        fs.writeFileSync(
+          targetFilePath,
+          `AFFINE_PRIVATE_KEY=${privateKey}\n` + dotenvFile
+        );
+      }
+    }
   }
 }
 
diff --git a/packages/backend/server/src/fundamentals/config/default.ts b/packages/backend/server/src/fundamentals/config/default.ts
index 7cb4e938a3..b06aad366d 100644
--- a/packages/backend/server/src/fundamentals/config/default.ts
+++ b/packages/backend/server/src/fundamentals/config/default.ts
@@ -25,9 +25,10 @@ AwEHoUQDQgAEF3U/0wIeJ3jRKXeFKqQyBKlr9F7xaAUScRrAuSP33rajm3cdfihI
 const ONE_DAY_IN_SEC = 60 * 60 * 24;
 
 const keyPair = (function () {
-  const AUTH_PRIVATE_KEY = process.env.AUTH_PRIVATE_KEY ?? examplePrivateKey;
+  const AFFINE_PRIVATE_KEY =
+    process.env.AFFINE_PRIVATE_KEY ?? examplePrivateKey;
   const privateKey = createPrivateKey({
-    key: Buffer.from(AUTH_PRIVATE_KEY),
+    key: Buffer.from(AFFINE_PRIVATE_KEY),
     format: 'pem',
     type: 'sec1',
   })
@@ -37,7 +38,7 @@ const keyPair = (function () {
     })
     .toString('utf8');
   const publicKey = createPublicKey({
-    key: Buffer.from(AUTH_PRIVATE_KEY),
+    key: Buffer.from(AFFINE_PRIVATE_KEY),
     format: 'pem',
     type: 'spki',
   })
diff --git a/tests/affine-cloud/playwright.config.ts b/tests/affine-cloud/playwright.config.ts
index 37666a5ad2..7c7f0d46db 100644
--- a/tests/affine-cloud/playwright.config.ts
+++ b/tests/affine-cloud/playwright.config.ts
@@ -52,7 +52,6 @@ const config: PlaywrightTestConfig = {
         DEBUG: 'affine:*',
         FORCE_COLOR: 'true',
         DEBUG_COLORS: 'true',
-        NEXTAUTH_URL: 'http://localhost:8080',
         MAILER_HOST: '0.0.0.0',
         MAILER_PORT: '1025',
         MAILER_SENDER: 'noreply@toeverything.info',
diff --git a/tests/affine-desktop-cloud/playwright.config.ts b/tests/affine-desktop-cloud/playwright.config.ts
index 4016026f52..a031458157 100644
--- a/tests/affine-desktop-cloud/playwright.config.ts
+++ b/tests/affine-desktop-cloud/playwright.config.ts
@@ -47,7 +47,6 @@ const config: PlaywrightTestConfig = {
         DEBUG: 'affine:*',
         FORCE_COLOR: 'true',
         DEBUG_COLORS: 'true',
-        NEXTAUTH_URL: 'http://localhost:8080',
         MAILER_SENDER: 'noreply@toeverything.info',
       },
     },