Harden publisher secret deployment

Sam-Bolling · Sam-Bolling · commit 6842db8584c2 · 2026-05-26T10:31:19.000-04:00
diff --git a/deploy_go_publishers.sh b/deploy_go_publishers.sh
@@ -51,6 +51,7 @@ declare -A GO_PUBS=(
   [usgs-water-publisher-go]=usgs_water
   [usgs-nims-publisher-go]=usgs_nims
   [iss-publisher-go]=iss
+  [met-office-datahub-publisher-go]=met_office_datahub
 )
 
 for dir_name in "${!GO_PUBS[@]}"; do
@@ -73,12 +74,14 @@ fi
 echo ""
 echo "=== Running bootstraps against Go server ==="
 
-# Run each bootstrap against the Go server
-export OSH_ADDRESS=129-80-248-53.sslip.io
-export OSH_PORT=443
-export OSH_USER=os4csapi
-export OSH_PASS=ogc134mm
-export OSH_BASE_URL=$GO_URL
+# Run each bootstrap against the Go server. OSH_PASS is intentionally required
+# from the caller's environment so server credentials are not stored in git.
+export OSH_ADDRESS=${OSH_ADDRESS:-129-80-248-53.sslip.io}
+export OSH_PORT=${OSH_PORT:-443}
+export OSH_USER=${OSH_USER:-os4csapi}
+: "${OSH_PASS:?Set OSH_PASS in the shell or a host-local environment file before running this script}"
+export OSH_PASS
+export OSH_BASE_URL=${OSH_BASE_URL:-$GO_URL}
 
 # NWS bootstrap
 echo "-- NWS Bootstrap --"
@@ -122,4 +125,11 @@ cd $HOME_DIR/iss-publisher-go
 python3 -m publishers.iss.bootstrap_iss 2>&1 | tail -20
 echo ""
 
+# Met Office DataHub bootstrap (requires MET_OFFICE_LAND_OBSERVATIONS_API_KEY
+# only for publisher runtime/probe, not for resource bootstrap)
+echo "-- Met Office DataHub Bootstrap --"
+cd $HOME_DIR/met-office-datahub-publisher-go
+python3 -m publishers.met_office_datahub.bootstrap_met_office_datahub 2>&1 | tail -20
+echo ""
+
 echo "=== Bootstrap complete ==="
diff --git a/docs/research/CSAPI_Go_Server_Integration_Report_2026-04-17.md b/docs/research/CSAPI_Go_Server_Integration_Report_2026-04-17.md
@@ -430,7 +430,7 @@ The established pattern for adding Go server support to any publisher:
 1. Run bootstrap against Go server:
    ```bash
    OSH_BASE_URL="https://129-80-248-53.sslip.io/csapi-go" \
-   OSH_USER=dummy OSH_PASS=dummy \
+   OSH_USER=dummy OSH_PASS=<osh-admin-password> \
    python -m publishers.<name>.bootstrap_<name>
    ```
 
@@ -440,7 +440,7 @@ The established pattern for adding Go server support to any publisher:
    Environment="OSH_ADDRESS=129-80-248-53.sslip.io"
    Environment="OSH_BASE_URL=https://129-80-248-53.sslip.io/csapi-go"
    Environment="OSH_USER=dummy"
-   Environment="OSH_PASS=dummy"
+   Environment="OSH_PASS=<osh-admin-password>"
    ExecStart=/usr/bin/python3 -m publishers.<name>.<name>_publisher
    ```
 
diff --git a/docs/research/ISS_Publisher_Refactor_Plan.md b/docs/research/ISS_Publisher_Refactor_Plan.md
@@ -220,7 +220,7 @@ This is perhaps the most significant long-term benefit. The refactor transforms
 export OSH_ADDRESS=my-osh-server.example.com
 export OSH_PORT=443
 export OSH_USER=admin
-export OSH_PASS=secret
+export OSH_PASS=<osh-admin-password>
 export SYSTEM_UID=urn:osh:sensor:iss-tracker
 export DATASTREAM_NAME="ISS Position"
 export NORAD_ID=25544
diff --git a/docs/research/Publisher_Fleet_Portability_Plan.md b/docs/research/Publisher_Fleet_Portability_Plan.md
@@ -156,7 +156,7 @@ socket.getaddrinfo = _patched_getaddrinfo
    OSH_ADDRESS=your-server.example.com
    OSH_PORT=443
    OSH_USER=admin
-   OSH_PASS=changeme
+   OSH_PASS=<osh-admin-password>
    OSH_ROOT=sensorhub
 
    # ── Optional ──
diff --git a/docs/research/USGS_Water_Publisher_Phase1_Report.md b/docs/research/USGS_Water_Publisher_Phase1_Report.md
@@ -252,7 +252,7 @@ cd ~/OSHConnect-Python && git pull origin main
 python -m publishers.usgs_water.usgs_water_publisher --once
 
 # Optional: set API key for higher rate limits
-export USGS_API_KEY=55Xjsea8288I7fnXCCGFIQMICM0ddmcvVHFT6G76
+export USGS_API_KEY=<usgs-api-key>
 
 # Create systemd service following existing publisher pattern:
 #   ExecStart=/path/to/venv/bin/python -m publishers.usgs_water.usgs_water_publisher --interval 900
diff --git a/docs/research/new-publisher-source-planning/Oracle_Publisher_Secret_Deployment_2026-05-26.md b/docs/research/new-publisher-source-planning/Oracle_Publisher_Secret_Deployment_2026-05-26.md
@@ -0,0 +1,111 @@
+# Oracle Publisher Secret Deployment
+
+This is the acceptable production pattern for API keys used by live publishers on the Oracle host.
+
+## Principle
+
+Publisher code must stay configurable and secret-free. The repository may contain variable names, `.env.example` placeholders, Docker Compose interpolation, and systemd instructions, but not raw provider keys.
+
+The live Oracle host should inject keys through one of these host-local mechanisms:
+
+- systemd `EnvironmentFile=` with mode `0600`, owned by `root`;
+- service-specific root-owned key files referenced by `*_API_KEY_FILE` environment variables;
+- Docker Compose `.env` on the host, also mode `0600`, if the publisher is run via Compose.
+
+## Current Key-Backed Publishers
+
+| Publisher | Required? | Variable |
+| --- | --- | --- |
+| USGS Water | Optional, improves rate limits | `USGS_API_KEY` |
+| USGS NIMS | Optional, improves rate limits | `USGS_API_KEY` |
+| Met Office Land Observations | Required | `MET_OFFICE_LAND_OBSERVATIONS_API_KEY` |
+
+The Oracle deploy/bootstrap script also expects `OSH_PASS` from the caller's environment or a host-local environment file. Server credentials should follow the same rule as provider API keys: never commit the raw value.
+
+Met Office also supports `MET_OFFICE_LAND_OBSERVATIONS_API_KEY_FILE`, which should point at a host-local file containing the raw key or an assignment line.
+
+## systemd Pattern
+
+Create a shared environment file on Oracle:
+
+```bash
+sudo install -d -m 700 -o root -g root /etc/os4csapi
+sudo install -m 600 -o root -g root /dev/null /etc/os4csapi/publisher-secrets.env
+sudoedit /etc/os4csapi/publisher-secrets.env
+```
+
+Example contents, with placeholders only:
+
+```text
+USGS_API_KEY=<usgs-key-if-used>
+MET_OFFICE_LAND_OBSERVATIONS_API_KEY=<met-office-land-observations-key>
+OSH_PASS=<osh-admin-password>
+```
+
+Then add a drop-in to each service that needs the keys:
+
+```bash
+sudo systemctl edit met-office-datahub-publisher-go
+```
+
+Drop-in contents:
+
+```ini
+[Service]
+EnvironmentFile=/etc/os4csapi/publisher-secrets.env
+```
+
+Reload and restart:
+
+```bash
+sudo systemctl daemon-reload
+sudo systemctl restart met-office-datahub-publisher-go
+sudo journalctl -u met-office-datahub-publisher-go -n 80 --no-pager
+```
+
+For USGS Water and USGS NIMS, use the same `EnvironmentFile=` drop-in on `usgs-water-publisher-go` and `usgs-nims-publisher-go` when the API key is available.
+
+## Secret File Pattern
+
+For a single-service Met Office secret file:
+
+```bash
+sudo install -d -m 700 -o root -g root /etc/os4csapi/secrets
+sudo install -m 600 -o root -g root /dev/null /etc/os4csapi/secrets/met-office-land-observations.key
+sudoedit /etc/os4csapi/secrets/met-office-land-observations.key
+```
+
+The file should contain only the key or this assignment:
+
+```text
+MET_OFFICE_LAND_OBSERVATIONS_API_KEY=<met-office-land-observations-key>
+```
+
+The service environment then uses:
+
+```ini
+[Service]
+Environment=MET_OFFICE_LAND_OBSERVATIONS_API_KEY_FILE=/etc/os4csapi/secrets/met-office-land-observations.key
+```
+
+Standalone publisher runs may also point at a shared host-local env file:
+
+```ini
+[Service]
+Environment=PUBLISHERS_ENV_FILE=/etc/os4csapi/publisher-secrets.env
+```
+
+## Docker Compose Pattern
+
+When running `publishers/docker-compose.yml` on Oracle, store keys in the host-local `publishers/.env` file. That file is ignored by git and must not be copied into commits or support bundles.
+
+```text
+USGS_API_KEY=<usgs-key-if-used>
+MET_OFFICE_LAND_OBSERVATIONS_API_KEY=<met-office-land-observations-key>
+```
+
+Met Office is an opt-in access-gated Compose service:
+
+```bash
+docker compose --profile access-gated up -d met-office-datahub
+```
diff --git a/publishers/.env.example b/publishers/.env.example
@@ -10,6 +10,9 @@ OSH_ROOT=sensorhub
 # Full bootstrap URL (derived from OSH_ADDRESS/PORT/ROOT if unset)
 # BOOTSTRAP_URL=https://your-server.example.com/sensorhub/api
 
+# Optional local env-file override for standalone publisher runs.
+# PUBLISHERS_ENV_FILE=/etc/os4csapi/publisher-secrets.env
+
 # Force DNS resolution to a specific IP (useful behind NAT / split DNS)
 # OSH_FORCE_IP=10.0.0.5
 
@@ -20,6 +23,10 @@ OSH_ROOT=sensorhub
 # Required for publishers.met_office_datahub.
 # MET_OFFICE_LAND_OBSERVATIONS_API_KEY=
 
+# Optional alternative for systemd/Oracle deployments: point to a root-owned
+# file containing either the raw key or MET_OFFICE_LAND_OBSERVATIONS_API_KEY=...
+# MET_OFFICE_LAND_OBSERVATIONS_API_KEY_FILE=/etc/os4csapi/secrets/met-office-land-observations.key
+
 # Optional override if Met Office changes/publishes a different gateway URL.
 # MET_OFFICE_LAND_OBSERVATIONS_BASE_URL=https://data.hub.api.metoffice.gov.uk/observation-land/1
 
diff --git a/publishers/README.md b/publishers/README.md
@@ -71,6 +71,7 @@ python -m publishers.iss.bootstrap_iss
 cd publishers
 docker compose up -d          # start all
 docker compose up -d nws      # start one
+docker compose --profile access-gated up -d met-office-datahub
 docker compose logs -f nws    # follow logs
 docker compose ps             # status
 docker compose down            # stop all
@@ -115,9 +116,11 @@ python -m publishers.nws.nws_publisher --interval 3600
 | `OSH_PASS` | **Yes** | Auth password |
 | `OSH_ROOT` | **Yes** | Server root path (usually `sensorhub`) |
 | `BOOTSTRAP_URL` | No | Override the full bootstrap API URL |
+| `PUBLISHERS_ENV_FILE` | No | Standalone runtime override for the env file loaded by publishers that support local env loading |
 | `OSH_FORCE_IP` | No | Force DNS resolution to a specific IP |
 | `USGS_API_KEY` | No | USGS API key for higher rate limits |
 | `MET_OFFICE_LAND_OBSERVATIONS_API_KEY` | For Met Office | Met Office Weather DataHub Land Observations subscription key |
+| `MET_OFFICE_LAND_OBSERVATIONS_API_KEY_FILE` | For Met Office | Host-local file containing the Land Observations key; useful for Oracle/systemd secrets |
 | `BUOYCAM_CACHE_ROOT` | No | Local directory for BuoyCAM image cache |
 | `BUOYCAM_CACHE_BASE_URL` | No | Public URL serving the cached images |
 
@@ -135,6 +138,9 @@ python -m publishers.nws.nws_publisher --interval 3600
 - **BGS SensorThings** uses the public BGS Sensor Data Service SensorThings API
   and polls only curated unrestricted UKGEOS Glasgow datastreams in `stations.json`.
 - **Met Office DataHub** uses the access-gated Land Observations API and reads
-  `MET_OFFICE_LAND_OBSERVATIONS_API_KEY` from the environment. It caches nearest
-  geohash lookups in ignored runtime state to stay within the free-plan call budget.
+  `MET_OFFICE_LAND_OBSERVATIONS_API_KEY` from the environment, or
+  `MET_OFFICE_LAND_OBSERVATIONS_API_KEY_FILE` from a host-local secret file. It
+  caches nearest geohash lookups in ignored runtime state to stay within the
+  free-plan call budget. In Docker Compose it is behind the `access-gated`
+  profile, so public publishers can still start without a Met Office key.
 - All publishers use `--interval <seconds>` and `--dry-run` CLI flags.
diff --git a/publishers/docker-compose.yml b/publishers/docker-compose.yml
@@ -101,7 +101,7 @@ services:
     restart: always
     environment:
       <<: *osh-env
-      # USGS_API_KEY: "${USGS_API_KEY:-}"
+      USGS_API_KEY: "${USGS_API_KEY:-}"
     command: ["--interval", "900"]
 
   # ── USGS NIMS Imagery (15min cadence) ──
@@ -112,9 +112,25 @@ services:
     restart: always
     environment:
       <<: *osh-env
-      # USGS_API_KEY: "${USGS_API_KEY:-}"
+      USGS_API_KEY: "${USGS_API_KEY:-}"
     command: ["--interval", "900"]
 
+  # ── Met Office Weather DataHub Land Observations (1h cadence) ──
+  met-office-datahub:
+    profiles: ["access-gated"]
+    build:
+      context: ..
+      dockerfile: publishers/met_office_datahub/Dockerfile
+    restart: always
+    environment:
+      <<: *osh-env
+      MET_OFFICE_LAND_OBSERVATIONS_API_KEY: ${MET_OFFICE_LAND_OBSERVATIONS_API_KEY:-}
+      MET_OFFICE_LAND_OBSERVATIONS_BASE_URL: ${MET_OFFICE_LAND_OBSERVATIONS_BASE_URL:-https://data.hub.api.metoffice.gov.uk/observation-land/1}
+      MET_OFFICE_DATAHUB_API_KEY_HEADER: ${MET_OFFICE_DATAHUB_API_KEY_HEADER:-apikey}
+      MET_OFFICE_DATAHUB_REQUEST_DELAY: ${MET_OFFICE_DATAHUB_REQUEST_DELAY:-1.0}
+      MET_OFFICE_DATAHUB_429_BACKOFF: ${MET_OFFICE_DATAHUB_429_BACKOFF:-3600}
+    command: ["--interval", "3600"]
+
   # ── USGS Earthquake Feed (60s cadence) ──
   usgs-eq:
     build:
diff --git a/publishers/met_office_datahub/Dockerfile b/publishers/met_office_datahub/Dockerfile
@@ -0,0 +1,20 @@
+FROM python:3.12-slim
+
+WORKDIR /app
+
+RUN pip install --no-cache-dir git+https://github.com/OS4CSAPI/OSHConnect-Python.git
+
+COPY publishers/ /app/publishers/
+
+ENV OSH_ADDRESS=
+ENV OSH_PORT=443
+ENV OSH_USER=
+ENV OSH_PASS=
+ENV OSH_ROOT=sensorhub
+ENV MET_OFFICE_LAND_OBSERVATIONS_API_KEY=
+ENV MET_OFFICE_LAND_OBSERVATIONS_API_KEY_FILE=
+ENV MET_OFFICE_LAND_OBSERVATIONS_BASE_URL=https://data.hub.api.metoffice.gov.uk/observation-land/1
+ENV MET_OFFICE_DATAHUB_API_KEY_HEADER=apikey
+
+ENTRYPOINT ["python", "-m", "publishers.met_office_datahub.met_office_datahub_publisher"]
+CMD ["--interval", "3600"]
diff --git a/publishers/met_office_datahub/README.md b/publishers/met_office_datahub/README.md
@@ -43,6 +43,14 @@ Store the API key outside git. In this workspace the preferred location is `publ
 MET_OFFICE_LAND_OBSERVATIONS_API_KEY=...
 ```
 
+On live hosts, prefer a service environment variable or a root-owned secret file instead of a repo-local `.env`:
+
+```text
+MET_OFFICE_LAND_OBSERVATIONS_API_KEY_FILE=/etc/os4csapi/secrets/met-office-land-observations.key
+```
+
+The key file may contain the raw key on the first non-comment line, or `MET_OFFICE_LAND_OBSERVATIONS_API_KEY=...`.
+
 Optional overrides:
 
 ```text
diff --git a/publishers/met_office_datahub/met_office_datahub_publisher.py b/publishers/met_office_datahub/met_office_datahub_publisher.py
@@ -37,7 +37,7 @@ def __init__(self, message: str, retry_after: float | None = None):
 
 
 def _load_local_env():
-    env_path = Path(__file__).resolve().parents[1] / ".env"
+    env_path = Path(os.environ.get("PUBLISHERS_ENV_FILE") or Path(__file__).resolve().parents[1] / ".env")
     if not env_path.exists():
         return
     for raw_line in env_path.read_text(encoding="utf-8").splitlines():
@@ -51,6 +51,32 @@ def _load_local_env():
             os.environ[key] = value
 
 
+def _read_secret_file(path_value: str | None) -> str | None:
+    if not path_value:
+        return None
+    path = Path(os.path.expanduser(path_value.strip().strip('"').strip("'")))
+    if not path.exists():
+        raise SystemExit(f"ERROR: configured API key file does not exist: {path}")
+    for raw_line in path.read_text(encoding="utf-8").splitlines():
+        line = raw_line.strip()
+        if not line or line.startswith("#"):
+            continue
+        if "=" in line:
+            _, line = line.split("=", 1)
+            line = line.strip()
+        return line.strip().strip('"').strip("'")
+    return None
+
+
+def _configured_api_key() -> str | None:
+    return (
+        os.environ.get("MET_OFFICE_LAND_OBSERVATIONS_API_KEY")
+        or os.environ.get("MET_OFFICE_DATAHUB_API_KEY")
+        or _read_secret_file(os.environ.get("MET_OFFICE_LAND_OBSERVATIONS_API_KEY_FILE"))
+        or _read_secret_file(os.environ.get("MET_OFFICE_DATAHUB_API_KEY_FILE"))
+    )
+
+
 def _load_config() -> dict:
     here = os.path.dirname(os.path.abspath(__file__))
     with open(os.path.join(here, "stations.json"), encoding="utf-8") as f:
@@ -206,14 +232,12 @@ def _select_latest(records: list[dict], parameter: dict) -> tuple[dict, str, flo
 class MetOfficeDataHubClient:
     def __init__(self):
         _load_local_env()
-        self.api_key = (
-            os.environ.get("MET_OFFICE_LAND_OBSERVATIONS_API_KEY")
-            or os.environ.get("MET_OFFICE_DATAHUB_API_KEY")
-        )
+        self.api_key = _configured_api_key()
         if not self.api_key:
             raise SystemExit(
                 "ERROR: MET_OFFICE_LAND_OBSERVATIONS_API_KEY must be set.\n"
-                "  Store it in publishers/.env or the process environment."
+                "  Store it in publishers/.env, the process environment, or set\n"
+                "  MET_OFFICE_LAND_OBSERVATIONS_API_KEY_FILE to a host-local secret file."
             )
         self.base_url = os.environ.get("MET_OFFICE_LAND_OBSERVATIONS_BASE_URL", DEFAULT_API_BASE).rstrip("/")
         self.key_header = os.environ.get("MET_OFFICE_DATAHUB_API_KEY_HEADER", "apikey")
