Auto-generate MAS encryption keys

mas/mas-config.template.yaml

@@ -50,4 +50,5 @@ assets:
   policy: "/app/pkg/mas/share/policy.wasm"
   translations: "/app/pkg/mas/share/translations"
 secrets:
+  encryption_file: "${MAS_ENCRYPTION_FILE}"
   keys_dir: "/app/data/configs/mas-keys"

start.sh

@@ -3,6 +3,7 @@
 set -eu
 
 MAS_KEYS_DIR=${MAS_KEYS_DIR:-/app/data/configs/mas-keys}
+MAS_ENCRYPTION_FILE=${MAS_ENCRYPTION_FILE:-${MAS_KEYS_DIR}/default.secrets}
 
 mkdir -p /app/data/data /app/data/configs /run/synapse
 mkdir -p "${MAS_KEYS_DIR}"
@@ -22,7 +23,7 @@ MAS_OIDC_TOKEN_ENDPOINT=${MAS_OIDC_TOKEN_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/tok
 MAS_OIDC_USERINFO_ENDPOINT=${MAS_OIDC_USERINFO_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/userinfo}
 MAS_OIDC_SCOPES=${MAS_OIDC_SCOPES:-"openid profile email"}
 export MAS_PORT MAS_DOMAIN MAS_CONFIG_TEMPLATE MAS_CONFIG_OUTPUT MAS_CLI_BIN
-export MAS_OIDC_CLIENT_ID MAS_OIDC_CLIENT_SECRET MAS_OIDC_ISSUER MAS_OIDC_AUTH_ENDPOINT MAS_OIDC_TOKEN_ENDPOINT MAS_OIDC_USERINFO_ENDPOINT MAS_OIDC_SCOPES MAS_KEYS_DIR
+export MAS_OIDC_CLIENT_ID MAS_OIDC_CLIENT_SECRET MAS_OIDC_ISSUER MAS_OIDC_AUTH_ENDPOINT MAS_OIDC_TOKEN_ENDPOINT MAS_OIDC_USERINFO_ENDPOINT MAS_OIDC_SCOPES MAS_KEYS_DIR MAS_ENCRYPTION_FILE
 
 # ensure we have a persistent MAS client secret for the Synapse OIDC client
 if [[ -f "${MAS_SECRET_FILE}" ]]; then
@@ -37,6 +38,11 @@ export MAS_OIDC_CLIENT_SECRET
 # ensure postgres port is always defined for the MAS template
 export CLOUDRON_POSTGRESQL_PORT=${CLOUDRON_POSTGRESQL_PORT:-5432}
 
+if [[ ! -f "${MAS_ENCRYPTION_FILE}" ]]; then
+    openssl rand -base64 32 > "${MAS_ENCRYPTION_FILE}"
+    chmod 600 "${MAS_ENCRYPTION_FILE}"
+fi
+
 if [[ ! -f /app/data/configs/homeserver.yaml ]]; then
     echo "==> Detected first run"