From dbb06bbe7dcfe7b8e9482cd79cc109e911e567ed Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 1 Dec 2025 09:09:48 -0600 Subject: [PATCH] Auto-generate MAS encryption keys --- mas/mas-config.template.yaml | 1 + start.sh | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/mas/mas-config.template.yaml b/mas/mas-config.template.yaml index e0fdd5d..cedc8c3 100644 --- a/mas/mas-config.template.yaml +++ b/mas/mas-config.template.yaml @@ -50,4 +50,5 @@ assets: policy: "/app/pkg/mas/share/policy.wasm" translations: "/app/pkg/mas/share/translations" secrets: + encryption_file: "${MAS_ENCRYPTION_FILE}" keys_dir: "/app/data/configs/mas-keys" diff --git a/start.sh b/start.sh index d7c2808..0694f93 100755 --- a/start.sh +++ b/start.sh @@ -3,6 +3,7 @@ set -eu MAS_KEYS_DIR=${MAS_KEYS_DIR:-/app/data/configs/mas-keys} +MAS_ENCRYPTION_FILE=${MAS_ENCRYPTION_FILE:-${MAS_KEYS_DIR}/default.secrets} mkdir -p /app/data/data /app/data/configs /run/synapse mkdir -p "${MAS_KEYS_DIR}" @@ -22,7 +23,7 @@ MAS_OIDC_TOKEN_ENDPOINT=${MAS_OIDC_TOKEN_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/tok MAS_OIDC_USERINFO_ENDPOINT=${MAS_OIDC_USERINFO_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/userinfo} MAS_OIDC_SCOPES=${MAS_OIDC_SCOPES:-"openid profile email"} export MAS_PORT MAS_DOMAIN MAS_CONFIG_TEMPLATE MAS_CONFIG_OUTPUT MAS_CLI_BIN -export MAS_OIDC_CLIENT_ID MAS_OIDC_CLIENT_SECRET MAS_OIDC_ISSUER MAS_OIDC_AUTH_ENDPOINT MAS_OIDC_TOKEN_ENDPOINT MAS_OIDC_USERINFO_ENDPOINT MAS_OIDC_SCOPES MAS_KEYS_DIR +export MAS_OIDC_CLIENT_ID MAS_OIDC_CLIENT_SECRET MAS_OIDC_ISSUER MAS_OIDC_AUTH_ENDPOINT MAS_OIDC_TOKEN_ENDPOINT MAS_OIDC_USERINFO_ENDPOINT MAS_OIDC_SCOPES MAS_KEYS_DIR MAS_ENCRYPTION_FILE # ensure we have a persistent MAS client secret for the Synapse OIDC client if [[ -f "${MAS_SECRET_FILE}" ]]; then @@ -37,6 +38,11 @@ export MAS_OIDC_CLIENT_SECRET # ensure postgres port is always defined for the MAS template export CLOUDRON_POSTGRESQL_PORT=${CLOUDRON_POSTGRESQL_PORT:-5432} +if [[ ! -f "${MAS_ENCRYPTION_FILE}" ]]; then + openssl rand -base64 32 > "${MAS_ENCRYPTION_FILE}" + chmod 600 "${MAS_ENCRYPTION_FILE}" +fi + if [[ ! -f /app/data/configs/homeserver.yaml ]]; then echo "==> Detected first run"