add api secrets seperate from .env

This commit is contained in:
2025-09-09 10:20:46 -04:00
parent b2938758e2
commit 4685c970af
6 changed files with 298 additions and 13 deletions
+28
View File
@@ -0,0 +1,28 @@
# NFOGuard Secrets Configuration Template
# Copy this to .env.secrets and add your actual API keys
# This file should NOT be committed to version control
# Add .env.secrets to your .gitignore
# ===========================================
# RADARR DATABASE CREDENTIALS
# ===========================================
# Database password for PostgreSQL connection
RADARR_DB_PASSWORD=your_radarr_db_password
# ===========================================
# API KEYS (SENSITIVE DATA)
# ===========================================
# TMDB API key for digital release dates
TMDB_API_KEY=your_tmdb_api_key
# OMDb API key for DVD/digital release dates (optional)
OMDB_API_KEY=your_omdb_api_key
# Radarr API key (optional - for fallback only)
RADARR_API_KEY=your_radarr_api_key
# Sonarr API key (optional - for TV processing)
SONARR_API_KEY=your_sonarr_api_key
# Jellyseerr API key (optional)
JELLYSEERR_API_KEY=your_jellyseerr_api_key
+9 -10
View File
@@ -19,38 +19,37 @@ DB_PATH=/app/data/media_dates.db
# RADARR DATABASE CONNECTION (REQUIRED) # RADARR DATABASE CONNECTION (REQUIRED)
# =========================================== # ===========================================
# Connection to Radarr's PostgreSQL database # Connection to Radarr's PostgreSQL database
# NOTE: Database password should be set in .env.secrets file
RADARR_DB_HOST=radarr-postgres RADARR_DB_HOST=radarr-postgres
RADARR_DB_PORT=5432 RADARR_DB_PORT=5432
RADARR_DB_NAME=radarr RADARR_DB_NAME=radarr
RADARR_DB_USER=radarr RADARR_DB_USER=radarr
RADARR_DB_PASSWORD=your_radarr_db_password
# =========================================== # ===========================================
# RADARR API (OPTIONAL - for fallback) # RADARR API (OPTIONAL - for fallback)
# =========================================== # ===========================================
# Only needed if you want API fallback (not recommended for performance) # Only needed if you want API fallback (not recommended for performance)
# NOTE: API key should be set in .env.secrets file
RADARR_URL=http://radarr:7878 RADARR_URL=http://radarr:7878
RADARR_API_KEY=your_radarr_api_key
# =========================================== # ===========================================
# SONARR API (OPTIONAL) # SONARR API (OPTIONAL)
# =========================================== # ===========================================
# Only needed for TV processing # Only needed for TV processing
# NOTE: API key should be set in .env.secrets file
SONARR_URL=http://sonarr:8989 SONARR_URL=http://sonarr:8989
SONARR_API_KEY=your_sonarr_api_key
# =========================================== # ===========================================
# EXTERNAL APIs FOR DIGITAL RELEASE DATES # EXTERNAL APIs FOR DIGITAL RELEASE DATES
# =========================================== # ===========================================
# TMDB API for digital release dates (recommended) # NOTE: All API keys should be set in .env.secrets file
TMDB_API_KEY=your_tmdb_api_key # See .env.secrets.template for required keys:
# - TMDB_API_KEY (recommended for digital release dates)
# - OMDB_API_KEY (optional for DVD/digital release dates)
# - JELLYSEERR_API_KEY (optional for additional digital release data)
# OMDb API for DVD/digital release dates (optional) # Jellyseerr URL (optional)
OMDB_API_KEY=your_omdb_api_key
# Jellyseerr for additional digital release data (optional)
JELLYSEERR_URL=http://jellyseerr:5055 JELLYSEERR_URL=http://jellyseerr:5055
JELLYSEERR_API_KEY=your_jellyseerr_api_key
# =========================================== # ===========================================
# NFO MANAGEMENT # NFO MANAGEMENT
+60
View File
@@ -0,0 +1,60 @@
# Environment files with sensitive data
.env
.env.secrets
.env.local
# Python
__pycache__/
*.py[cod]
*$py.class
*.so
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# Virtual environments
venv/
env/
ENV/
# IDE
.vscode/
.idea/
*.swp
*.swo
*~
# OS
.DS_Store
Thumbs.db
# Logs
logs/
*.log
# Database files
*.db
*.sqlite
*.sqlite3
# Temporary files
tmp/
temp/
*.tmp
# Docker
.dockerignore
+148
View File
@@ -0,0 +1,148 @@
# NFOGuard Setup Guide
## 🔐 Secure Configuration Setup
NFOGuard now uses a **two-file configuration system** for better security and easier troubleshooting:
- **`.env`** - Main configuration (safe to share for debugging)
- **`.env.secrets`** - Sensitive API keys and passwords (never commit to git)
### Step 1: Copy Configuration Templates
```bash
# Copy main configuration
cp .env.template .env
# Copy secrets configuration
cp .env.secrets.template .env.secrets
```
### Step 2: Configure Main Settings
Edit your `.env` file with your specific paths and preferences:
```bash
# Media paths (adjust to your directory structure)
TV_PATHS=/media/TV/tv,/media/TV/tv6
MOVIE_PATHS=/media/Movies/movies,/media/Movies/movies6
# Database connection details
RADARR_DB_HOST=radarr-postgres
RADARR_DB_PORT=5432
RADARR_DB_NAME=radarr
RADARR_DB_USER=radarr
# Processing preferences
PREFER_RELEASE_DATES_OVER_FILE_DATES=true
ALLOW_FILE_DATE_FALLBACK=false
RELEASE_DATE_PRIORITY=digital,physical,theatrical
```
### Step 3: Configure Secrets
Edit your `.env.secrets` file with your actual API keys and passwords:
```bash
# Database password
RADARR_DB_PASSWORD=your_actual_radarr_password
# TMDB API key (required for release date detection)
TMDB_API_KEY=your_actual_tmdb_api_key
# Optional API keys
RADARR_API_KEY=your_radarr_api_key
SONARR_API_KEY=your_sonarr_api_key
OMDB_API_KEY=your_omdb_api_key
```
### Step 4: Verify Configuration
Test your setup:
```bash
# Test database connections
curl -X POST "http://localhost:8080/test/bulk-update"
# Test movie scanning
curl -X POST "http://localhost:8080/test/movie-scan"
# Check system health
curl "http://localhost:8080/health"
```
## 🔒 Security Features
### API Key Masking
All API keys and passwords are automatically masked in logs:
```
[2025-09-09T12:34:56] INFO: TMDB API call with key=***masked***
[2025-09-09T12:34:56] INFO: Database connection password=***masked***
```
### Sensitive Data Separation
- **Main `.env`**: Paths, preferences, URLs (safe to share)
- **`.env.secrets`**: API keys, passwords (never commit to version control)
- **Automatic loading**: Both files loaded automatically at startup
### Git Protection
The `.gitignore` file prevents accidental commits:
```
.env
.env.secrets
.env.local
```
## 🛠 Troubleshooting
### "Environment files not loaded" Warning
Install python-dotenv:
```bash
pip install python-dotenv==1.0.0
# or
docker-compose build # rebuilds with updated requirements.txt
```
### Sharing Configuration for Help
You can safely share your `.env` file for debugging since it contains no sensitive data. The `.env.secrets` file should never be shared.
### Migration from Old Setup
If you have an existing `.env` with API keys:
1. Move all `*_API_KEY` and `*_PASSWORD` variables to `.env.secrets`
2. Remove sensitive data from `.env`
3. Restart NFOGuard
## 🎯 Docker Compose Example
```yaml
version: '3.8'
services:
nfoguard:
image: ghcr.io/your-org/nfoguard:latest
container_name: nfoguard
ports:
- "8080:8080"
volumes:
- /path/to/your/media:/media:rw
- ./data:/app/data
- ./.env:/app/.env:ro # Main configuration
- ./.env.secrets:/app/.env.secrets:ro # Secrets
environment:
- PORT=8080
depends_on:
- radarr-postgres
```
## 📋 Configuration Reference
### Main Configuration (.env)
- **Paths**: `TV_PATHS`, `MOVIE_PATHS`, `DB_PATH`
- **Processing**: `MOVIE_PRIORITY`, `RELEASE_DATE_PRIORITY`
- **Features**: `MANAGE_NFO`, `FIX_DIR_MTIMES`, `LOCK_METADATA`
- **URLs**: `RADARR_URL`, `SONARR_URL`, `JELLYSEERR_URL`
### Secrets Configuration (.env.secrets)
- **Database**: `RADARR_DB_PASSWORD`
- **APIs**: `TMDB_API_KEY`, `OMDB_API_KEY`, `RADARR_API_KEY`, `SONARR_API_KEY`
- **Optional**: `JELLYSEERR_API_KEY`
This setup makes NFOGuard more secure while keeping configuration manageable for troubleshooting and deployment.
+52 -3
View File
@@ -51,19 +51,68 @@ def _setup_file_logging():
logger.addHandler(file_handler) logger.addHandler(file_handler)
return logger return logger
def _mask_sensitive_data(msg: str) -> str:
"""Mask API keys and other sensitive data in log messages"""
import re
# List of patterns to mask
sensitive_patterns = [
(r'api_key=([a-zA-Z0-9_\-]+)', r'api_key=***masked***'),
(r'password=([^\s&]+)', r'password=***masked***'),
(r'token=([a-zA-Z0-9_\-]+)', r'token=***masked***'),
(r'key=([a-zA-Z0-9_\-]{8,})', r'key=***masked***'), # Keys longer than 8 chars
(r'([a-zA-Z0-9]{32,})', lambda m: m.group(1)[:8] + '***masked***' if len(m.group(1)) > 16 else m.group(1)) # Long strings likely to be keys
]
masked_msg = msg
for pattern, replacement in sensitive_patterns:
if isinstance(replacement, str):
masked_msg = re.sub(pattern, replacement, masked_msg, flags=re.IGNORECASE)
else:
masked_msg = re.sub(pattern, replacement, masked_msg, flags=re.IGNORECASE)
return masked_msg
def _log(level: str, msg: str): def _log(level: str, msg: str):
"""Enhanced logging that writes to both console and file""" """Enhanced logging that writes to both console and file with sensitive data masking"""
print(f"[{datetime.now(timezone.utc).isoformat(timespec='seconds')}] {level}: {msg}") masked_msg = _mask_sensitive_data(msg)
print(f"[{datetime.now(timezone.utc).isoformat(timespec='seconds')}] {level}: {masked_msg}")
try: try:
file_logger = _setup_file_logging() file_logger = _setup_file_logging()
getattr(file_logger, level.lower(), file_logger.info)(msg) getattr(file_logger, level.lower(), file_logger.info)(masked_msg)
except Exception as e: except Exception as e:
print(f"File logging error: {e}") print(f"File logging error: {e}")
# Initialize logging # Initialize logging
_setup_file_logging() _setup_file_logging()
def _load_environment_files():
"""Load environment variables from .env and optionally .env.secrets"""
from pathlib import Path
# Try to load from python-dotenv if available
try:
from dotenv import load_dotenv
# Load main .env file
env_file = Path(".env")
if env_file.exists():
load_dotenv(env_file)
_log("INFO", f"Loaded environment from {env_file}")
# Load secrets file if it exists
secrets_file = Path(".env.secrets")
if secrets_file.exists():
load_dotenv(secrets_file)
_log("INFO", f"Loaded secrets from {secrets_file}")
except ImportError:
_log("WARNING", "python-dotenv not available - environment files not loaded")
# Load environment files at startup
_load_environment_files()
def _bool_env(name: str, default: bool) -> bool: def _bool_env(name: str, default: bool) -> bool:
v = os.environ.get(name) v = os.environ.get(name)
if v is None: if v is None:
+1
View File
@@ -2,3 +2,4 @@ fastapi==0.104.1
uvicorn[standard]==0.24.0 uvicorn[standard]==0.24.0
pydantic==2.5.0 pydantic==2.5.0
psycopg2-binary==2.9.9 psycopg2-binary==2.9.9
python-dotenv==1.0.0