Auto-generate MAS encryption keys

2025-12-01 09:09:48 -06:00
parent 2613089c0d
commit dbb06bbe7d
2 changed files with 8 additions and 1 deletions
--- a/mas/mas-config.template.yaml
+++ b/mas/mas-config.template.yaml
@@ -50,4 +50,5 @@ assets:
  policy: "/app/pkg/mas/share/policy.wasm"
  translations: "/app/pkg/mas/share/translations"
 secrets:
  encryption_file: "${MAS_ENCRYPTION_FILE}"
  keys_dir: "/app/data/configs/mas-keys"
--- a/start.sh
+++ b/start.sh
@@ -3,6 +3,7 @@
 set -eu
 MAS_KEYS_DIR=${MAS_KEYS_DIR:-/app/data/configs/mas-keys}
 MAS_ENCRYPTION_FILE=${MAS_ENCRYPTION_FILE:-${MAS_KEYS_DIR}/default.secrets}
 mkdir -p /app/data/data /app/data/configs /run/synapse
 mkdir -p "${MAS_KEYS_DIR}"
@@ -22,7 +23,7 @@ MAS_OIDC_TOKEN_ENDPOINT=${MAS_OIDC_TOKEN_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/tok
 MAS_OIDC_USERINFO_ENDPOINT=${MAS_OIDC_USERINFO_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/userinfo}
 MAS_OIDC_SCOPES=${MAS_OIDC_SCOPES:-"openid profile email"}
 export MAS_PORT MAS_DOMAIN MAS_CONFIG_TEMPLATE MAS_CONFIG_OUTPUT MAS_CLI_BIN
-export MAS_OIDC_CLIENT_ID MAS_OIDC_CLIENT_SECRET MAS_OIDC_ISSUER MAS_OIDC_AUTH_ENDPOINT MAS_OIDC_TOKEN_ENDPOINT MAS_OIDC_USERINFO_ENDPOINT MAS_OIDC_SCOPES MAS_KEYS_DIR
+export MAS_OIDC_CLIENT_ID MAS_OIDC_CLIENT_SECRET MAS_OIDC_ISSUER MAS_OIDC_AUTH_ENDPOINT MAS_OIDC_TOKEN_ENDPOINT MAS_OIDC_USERINFO_ENDPOINT MAS_OIDC_SCOPES MAS_KEYS_DIR MAS_ENCRYPTION_FILE
 # ensure we have a persistent MAS client secret for the Synapse OIDC client
 if [[ -f "${MAS_SECRET_FILE}" ]]; then
@@ -37,6 +38,11 @@ export MAS_OIDC_CLIENT_SECRET
 # ensure postgres port is always defined for the MAS template
 export CLOUDRON_POSTGRESQL_PORT=${CLOUDRON_POSTGRESQL_PORT:-5432}
 if [[ ! -f "${MAS_ENCRYPTION_FILE}" ]]; then
    openssl rand -base64 32 > "${MAS_ENCRYPTION_FILE}"
    chmod 600 "${MAS_ENCRYPTION_FILE}"
 fi
 if [[ ! -f /app/data/configs/homeserver.yaml ]]; then
    echo "==> Detected first run"