From a3c08b49b10375d2862d885ac856a925b333840b Mon Sep 17 00:00:00 2001
From: Thomas Hintz <t@thintz.com>
Date: Wed, 22 Apr 2026 12:02:27 -0700
Subject: [PATCH] Moving stripe api key to config/run secret.

---
 Makefile                              |  2 ++
 all-apps/nassella/docker-compose.yaml |  3 +++
 all-apps/nassella/stripe_api_key      |  1 +
 src/Dockerfile                        |  8 +-------
 src/nassella.scm                      | 14 ++++++++++----
 5 files changed, 17 insertions(+), 11 deletions(-)
 create mode 100644 all-apps/nassella/stripe_api_key

diff --git a/Makefile b/Makefile
index dd1be83..0b4530f 100644
--- a/Makefile
+++ b/Makefile
@@ -69,6 +69,8 @@ all-apps/nassella/lldap_postgres_password: $(apps_config)
 	bash -c 'source ./$(apps_config); printf "%s\n" "$$NASSELLA_LLDAP_POSTGRES_PASSWORD" > $@'
 all-apps/nassella/lldap_admin_password: $(apps_config)
 	bash -c 'source ./$(apps_config); printf "%s\n" "$$NASSELLA_LLDAP_ADMIN_PASSWORD" > $@'
+all-apps/nassella/stripe_api_key: $(apps_config)
+	bash -c 'source ./$(apps_config); printf "%s\n" "$$NASSELLA_STRIPE_API_KEY" > $@'
 all-apps/nassella/authelia-config/configuration.yml: $(apps_config) all-apps/nassella/authelia-config/configuration.yml.tmpl make-nassella-authelia-config.sh
 	./make-nassella-authelia-config.sh $(apps_config)
 all-apps/nassella/lldap-config/lldap_config.toml: $(apps_config) all-apps/nassella/lldap-config/lldap_config.toml.tmpl make-nassella-lldap-config.sh
diff --git a/all-apps/nassella/docker-compose.yaml b/all-apps/nassella/docker-compose.yaml
index 7890862..09a547b 100644
--- a/all-apps/nassella/docker-compose.yaml
+++ b/all-apps/nassella/docker-compose.yaml
@@ -21,6 +21,8 @@ secrets:
     file: ./nassella/authelia_postgres_user
   nassella_lldap_admin_password:
     file: ./nassella/lldap_admin_password
+  nassella_stripe_api_key:
+    file: ./nassella/stripe_api_key
 
 services:
   nassella_lldap_db:
@@ -133,6 +135,7 @@ services:
       - nassella_postgres_password
       - nassella_postgres_user
       - nassella_lldap_admin_password
+      - nassella_stripe_api_key
     networks:
       - lb
       - nassella_internal
diff --git a/all-apps/nassella/stripe_api_key b/all-apps/nassella/stripe_api_key
new file mode 100644
index 0000000..afbd34a
--- /dev/null
+++ b/all-apps/nassella/stripe_api_key
@@ -0,0 +1 @@
+api_key
\ No newline at end of file
diff --git a/src/Dockerfile b/src/Dockerfile
index 885740a..3ff6e79 100644
--- a/src/Dockerfile
+++ b/src/Dockerfile
@@ -39,22 +39,16 @@ COPY db.scm db.scm
 COPY nassella.scm nassella.scm
 COPY run.scm run.scm
 
-RUN csc -O3 mocks.scm -J
-RUN csc -O3 db.scm -J
-RUN csc -O3 nassella.scm -J
 RUN csc -O3 -o nassella-run run.scm
 RUN chmod +x nassella-run
 
 FROM debian:trixie-slim
 RUN apt-get update && apt-get -y --no-install-recommends install \
- libpq-dev ca-certificates gettext-base \
+ libpq-dev ca-certificates gettext-base openssh-client \
  && rm -rf /var/lib/apt/lists/*
 COPY --from=buildeggs /usr/local/ /usr/local/
 
 WORKDIR /var
-COPY --from=buildeggs /var/nassella/mocks /var
-COPY --from=buildeggs /var/nassella/db /var
-COPY --from=buildeggs /var/nassella/nassella /var
 COPY --from=buildeggs /var/nassella/nassella-run /var
 
 COPY nassella-latest.tar nassella-latest.tar
diff --git a/src/nassella.scm b/src/nassella.scm
index a3b328d..0d0b546 100644
--- a/src/nassella.scm
+++ b/src/nassella.scm
@@ -563,7 +563,8 @@ h1, h2, h3, h4, h5, h6 {
    'email
    (alist-ref
     'customer_details
-    (send-stripe-request endpoint: (string-append "/checkout/sessions/" sid)))))
+    (send-stripe-request endpoint: (string-append "/checkout/sessions/" sid)
+                         username: (string-trim-right (with-input-from-file "/run/secrets/nassella_stripe_api_key" read-string))))))
 
 
 (define (create-lldap-user username email)
@@ -1090,7 +1091,9 @@ chmod -R 777 /opt/keys")))
                  (Field (@ (name "nassella-lldap-subdomain") (label ("LLDAP Subdomain"))
                            (value ,(alist-ref 'lldap-subdomain (alist-ref 'nassella app-config eq? '()) eq? "lldap"))))
                  (Field (@ (name "nassella-lldap-admin-password") (label ("Admin Password")) (type "password")
-                           (value ,(alist-ref 'lldap-admin-password (alist-ref 'nassella app-config eq? '()) eq? ""))))))
+                           (value ,(alist-ref 'lldap-admin-password (alist-ref 'nassella app-config eq? '()) eq? ""))))
+                 (Field (@ (name "nassella-stripe-api-key") (label ("Stripe API Key")) (type "password")
+                           (value ,(alist-ref 'stripe-api-key (alist-ref 'nassella app-config eq? '()) eq? ""))))))
               '())
         (Fieldset
          (@ (title "Log Viewer"))
@@ -1160,9 +1163,10 @@ chmod -R 777 /opt/keys")))
                                                            (generate-key-seed)))
                         (lldap-subdomain . ,(alist-ref 'nassella-lldap-subdomain (current-params)))
                         (lldap-admin-password . ,(alist-ref 'nassella-lldap-admin-password (current-params)))
+                        (stripe-api-key . ,(alist-ref 'nassella-stripe-api-key (current-params)))
                         (authelia-jwt-secret . ,(or (alist-ref 'authelia-jwt-secret
-                                                                (alist-ref 'nassella config eq? '()))
-                                                     (generate-jwt-secret)))
+                                                               (alist-ref 'nassella config eq? '()))
+                                                    (generate-jwt-secret)))
                         (authelia-key-seed . ,(or (alist-ref 'authelia-key-seed
                                                               (alist-ref 'nassella config eq? '()))
                                                    (generate-authelia-key-seed)))))
@@ -1357,6 +1361,7 @@ chmod -R 777 /opt/keys")))
                    ("NASSELLA_LLDAP_JWT_SECRET" . ,(alist-ref 'lldap-jwt-secret (alist-ref 'nassella config)))
                    ("NASSELLA_LLDAP_KEY_SEED" . ,(alist-ref 'lldap-key-seed (alist-ref 'nassella config)))
                    ("NASSELLA_LLDAP_ADMIN_PASSWORD" . ,(alist-ref 'lldap-admin-password (alist-ref 'nassella config)))
+                   ("NASSELLA_STRIPE_API_KEY" . ,(alist-ref 'stripe-api-key (alist-ref 'nassella config)))
                    ("NASSELLA_AUTHELIA_JWT_SECRET" . ,(alist-ref 'authelia-jwt-secret (alist-ref 'nassella config)))
                    ("NASSELLA_AUTHELIA_KEY_SEED" . ,(alist-ref 'authelia-key-seed (alist-ref 'nassella config)))
                    ("SMTP_HOST" . ,(alist-ref 'smtp-host (alist-ref 'all-apps config)))
@@ -1612,6 +1617,7 @@ chmod -R 777 /opt/keys")))
                    ("NASSELLA_LLDAP_JWT_SECRET" . ,(alist-ref 'lldap-jwt-secret (alist-ref 'nassella config)))
                    ("NASSELLA_LLDAP_KEY_SEED" . ,(alist-ref 'lldap-key-seed (alist-ref 'nassella config)))
                    ("NASSELLA_LLDAP_ADMIN_PASSWORD" . ,(alist-ref 'lldap-admin-password (alist-ref 'nassella config)))
+                   ("NASSELLA_STRIPE_API_KEY" . ,(alist-ref 'stripe-api-key (alist-ref 'nassella config)))
                    ("NASSELLA_AUTHELIA_JWT_SECRET" . ,(alist-ref 'authelia-jwt-secret (alist-ref 'nassella config)))
                    ("NASSELLA_AUTHELIA_KEY_SEED" . ,(alist-ref 'authelia-key-seed (alist-ref 'nassella config)))
                    ("SMTP_HOST" . ,(alist-ref 'smtp-host (alist-ref 'all-apps config)))