Set up site for production config behind proxy

invenio.cfg

@@ -14,13 +14,30 @@ from invenio_i18n import lazy_gettext as _
 def _(x):  # needed to avoid start time failure with lazy strings
     return x
 
-# Custom function and constant to manage secrets more easily
-def read_secrets():
-    import tomli
-    with open("secrets.toml", "rb") as f:
-        return tomli.load(f)
+# Custom functions and to get env variables more safely
+def init_env():
+    from py_dotenv_safe import config
 
-SECRETS = read_secrets()
+    options = {
+        "dotenvPath": ".env",
+        "examplePath": ".env.example",
+        "allowEmptyValues": False,
+    }
+
+    config(options)
+    print("Environment variables loaded successfully.")
+
+init_env()
+
+def get_env_variable(key):
+    import os
+
+    x = os.getenv(key)
+
+    if x is None:
+        raise EnvironmentError(f"Environment variable {key} not found")
+
+    return x
 
 # Flask
 # =====
@@ -35,7 +52,7 @@ SEND_FILE_MAX_AGE_DEFAULT = 300
 # SECURITY WARNING: keep the secret key used in production secret!
 # Do not commit it to a source code repository.
 # TODO: Set
-SECRET_KEY=SECRETS["SECRET_KEY"]
+SECRET_KEY=get_env_variable("INVENIO_SECRET_KEY")
 
 # Since HAProxy and Nginx route all requests no matter the host header
 # provided, the allowed hosts variable is set to localhost. In production it
@@ -154,8 +171,8 @@ FILES_REST_STORAGE_FACTORY='invenio_s3.s3fs_storage_factory'
 # Invenio-S3
 # ==========
 S3_ENDPOINT_URL='http://localhost:9000/'
-S3_ACCESS_KEY_ID='CHANGE_ME'
-S3_SECRET_ACCESS_KEY='CHANGE_ME'
+S3_ACCESS_KEY_ID=get_env_variable("S3_ACCESS_KEY_ID")
+S3_SECRET_ACCESS_KEY=get_env_variable("S3_SECRET_ACCESS_KEY")
 
 # Allow S3 endpoint in the CSP rules
 APP_DEFAULT_SECURE_HEADERS['content_security_policy']['default-src'].append(