Add MAS keys directory

start.sh

@@ -3,6 +3,7 @@
 set -eu
 
 mkdir -p /app/data/data /app/data/configs /run/synapse
+mkdir -p "${MAS_KEYS_DIR}"
 
 source /app/code/env/bin/activate
 
@@ -12,6 +13,7 @@ MAS_SECRET_FILE=/app/data/configs/mas-client-secret
 MAS_CONFIG_TEMPLATE=/app/pkg/mas/mas-config.template.yaml
 MAS_CONFIG_OUTPUT=/app/data/configs/mas.yaml
 MAS_CLI_BIN=/app/pkg/mas/mas-cli
+MAS_KEYS_DIR=/app/data/configs/mas-keys
 MAS_OIDC_CLIENT_ID=${MAS_OIDC_CLIENT_ID:-synapse}
 MAS_OIDC_ISSUER=${MAS_OIDC_ISSUER:-https://${MAS_DOMAIN}}
 MAS_OIDC_AUTH_ENDPOINT=${MAS_OIDC_AUTH_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/authorize}
@@ -19,7 +21,7 @@ MAS_OIDC_TOKEN_ENDPOINT=${MAS_OIDC_TOKEN_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/tok
 MAS_OIDC_USERINFO_ENDPOINT=${MAS_OIDC_USERINFO_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/userinfo}
 MAS_OIDC_SCOPES=${MAS_OIDC_SCOPES:-"openid profile email"}
 export MAS_PORT MAS_DOMAIN MAS_CONFIG_TEMPLATE MAS_CONFIG_OUTPUT MAS_CLI_BIN
-export MAS_OIDC_CLIENT_ID MAS_OIDC_CLIENT_SECRET MAS_OIDC_ISSUER MAS_OIDC_AUTH_ENDPOINT MAS_OIDC_TOKEN_ENDPOINT MAS_OIDC_USERINFO_ENDPOINT MAS_OIDC_SCOPES
+export MAS_OIDC_CLIENT_ID MAS_OIDC_CLIENT_SECRET MAS_OIDC_ISSUER MAS_OIDC_AUTH_ENDPOINT MAS_OIDC_TOKEN_ENDPOINT MAS_OIDC_USERINFO_ENDPOINT MAS_OIDC_SCOPES MAS_KEYS_DIR
 
 # ensure we have a persistent MAS client secret for the Synapse OIDC client
 if [[ -f "${MAS_SECRET_FILE}" ]]; then