chore: better env handling

Xetera · Xetera · commit 34e9d74a669d · 2025-06-20T17:22:32.000+03:00
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,13 @@ WORKDIR /app
 COPY deno.json deno.lock .
 RUN deno install --frozen
 COPY . .
-RUN deno compile --allow-env --allow-run --allow-net --allow-read --deny-sys -o sync main.ts
+RUN deno compile \
+    --allow-env \
+    --allow-net \
+    --allow-read=/usr/bin/pg_dump \
+    --allow-run \
+    --deny-sys \
+    -o sync main.ts
 
 FROM denoland/deno:alpine AS runner
 
@@ -14,7 +20,9 @@ WORKDIR /app
 RUN apk add --no-cache postgresql-client
 
 ENV PG_DUMP_BINARY=/usr/bin/pg_dump
-COPY bin ./bin
+# bind to all interfaces
+ENV HOST=0.0.0.0
+# COPY bin ./bin
 COPY --from=builder /app/sync /app/sync
 
 USER deno
diff --git a/deno.json b/deno.json
@@ -6,12 +6,13 @@
     "sloppy-imports"
   ],
   "tasks": {
-    "dev": "deno run --watch main.ts"
+    "dev": "deno run --allow-env=HOST,PORT,HOSTED,PG_DUMP_BINARY,PGPASSWORD,PGSSL,PGIDLE_TIMEOUT,PGMAX_LIFETIME,PGMAX_PIPELINE,PGBACKOFF,PGKEEP_ALIVE,PGPREPARE,PGDEBUG,PGFETCH_TYPES,PGPUBLICATIONS,PGTARGET_SESSION_ATTRS,PGAPPNAME,PGCONNECT_TIMEOUT,PGTARGETSESSIONATTRS,PGPORT,PGMAX --allow-run --allow-net --allow-read=./bin --deny-sys --watch main.ts"
   },
   "imports": {
     "@opentelemetry/api": "jsr:@opentelemetry/api@^1.9.0",
     "@rabbit-company/rate-limiter": "jsr:@rabbit-company/rate-limiter@^3.0.0",
     "@std/assert": "jsr:@std/assert@^1.0.13",
+    "@std/collections": "jsr:@std/collections@^1.1.1",
     "postgres": "https://deno.land/x/postgresjs@v3.4.7/mod.js",
     "zod": "npm:zod@^3.25.67"
   },
diff --git a/deno.lock b/deno.lock
diff --git a/main.ts b/main.ts
@@ -1,16 +1,17 @@
 import { createServer } from "./src/server/http.ts";
 import { log } from "./src/log.ts";
 import { shutdown } from "./src/shutdown.ts";
-
-const DEFAULT_PORT = 2345;
+import { env } from "./src/env.ts";
 
 // Learn more at https://docs.deno.com/runtime/manual/examples/module_metadata#concepts
 if (import.meta.main) {
   const os = Deno.build.os;
   const arch = Deno.build.arch;
-  const port = Deno.env.get("PORT") || DEFAULT_PORT;
-  log.info(`Starting server (${os}-${arch}) on port ${port}`, "main");
-  createServer(Number(port));
+  log.info(
+    `Starting server (${os}-${arch}) on ${env.HOST}:${env.PORT}`,
+    "main"
+  );
+  createServer(env.HOST, env.PORT);
 
   Deno.addSignalListener("SIGTERM", shutdown);
   Deno.addSignalListener("SIGINT", shutdown);
diff --git a/src/env.ts b/src/env.ts
@@ -1,8 +1,14 @@
 import { z } from "zod";
+import { mapValues } from "@std/collections";
 
 const envSchema = z.object({
+  PG_DUMP_BINARY: z.string().optional(),
   HOSTED: z.coerce.boolean().default(false),
-  PORT: z.coerce.number().min(1024).max(65535).default(3000),
+  HOST: z.string().default("127.0.0.1"),
+  PORT: z.coerce.number().min(1024).max(65535).default(2345),
 });
 
-export const env = envSchema.parse(Deno.env.toObject());
+// we want to avoid asking for ALL env permissions if possible
+export const env = envSchema.parse(
+  mapValues(envSchema._def.shape(), (_, key) => Deno.env.get(key))
+);
diff --git a/src/server/http.ts b/src/server/http.ts
@@ -144,9 +144,9 @@ async function onSync(req: Request) {
   return Response.json(result, { status: 200 });
 }
 
-export function createServer(port: number) {
+export function createServer(hostname: string, port: number) {
   return Deno.serve(
-    { port, signal: shutdownController.signal },
+    { hostname, port, signal: shutdownController.signal },
     async (req, info) => {
       const url = new URL(req.url);
       log.http(req);
diff --git a/src/sync/schema.ts b/src/sync/schema.ts
@@ -1,6 +1,7 @@
 import { SpanStatusCode, trace } from "@opentelemetry/api";
 import { log } from "../log.ts";
 import { shutdownController } from "../shutdown.ts";
+import { env } from "../env.ts";
 
 export type TableStats = {
   name: string;
@@ -14,15 +15,7 @@ export class PostgresSchemaLink {
   }
 
   findPgDumpBinary(): string {
-    let forcePath: string | undefined;
-    try {
-      forcePath = Deno.env.get("PG_DUMP_BINARY");
-    } catch (_err) {
-      log.warn(
-        "Permission denied to read PG_DUMP_BINARY from env, falling back to built-in binary",
-        "schema:setup"
-      );
-    }
+    const forcePath = env.PG_DUMP_BINARY;
     if (forcePath) {
       log.info(
         `Using pg_dump binary from env(PG_DUMP_BINARY): ${forcePath}`,
diff --git a/src/sync/syncer.ts b/src/sync/syncer.ts
@@ -13,6 +13,7 @@ import {
 import { PostgresSchemaLink } from "./schema.ts";
 import { withSpan } from "../otel.ts";
 import { SpanStatusCode } from "@opentelemetry/api";
+import { env } from "../env.ts";
 
 type SyncOptions = DependencyAnalyzerOptions;
 
@@ -84,7 +85,7 @@ export class PostgresSyncer {
       /^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(url.hostname) ||
       // ipv6 localhost
       url.hostname === "[::1]";
-    if (isLocalhost && Deno.env.get("DISALLOW_LOCAL_SYNC") === "true") {
+    if (isLocalhost && env.HOSTED) {
       return {
         kind: "error",
         type: "postgres_connection_error",
