finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove passlib dependency by making matrix-media-repo datastore IDs user-provided

Browse Source 
These IDs were incorrectly auto-derived from matrix_homeserver_generic_secret_key,
which is meant for secrets that are OK to change. Datastore IDs are static
identifiers that must never change after first use.

The playbook now requires users to explicitly set matrix_media_repo_datastore_file_id
(and matrix_media_repo_datastore_s3_id when S3 is enabled) in vars.yml, with
validation that fails early if they are missing.

This was the last usage of passlib, which is now removed from prerequisites.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Slavi Pantaleev
2026-02-09 16:56:33 +02:00
parent 09914bf338
commit 2c2738a48f
5 changed files with 53 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
roles/custom/matrix-media-repo/defaults/main.yml
View File

@@ -414,8 +414,9 @@ matrix_media_repo_shared_secret_auth_token: "PutSomeRandomSecureValueHere"
# thumbnails and other misc data is also stored in these places. The media repo, when looking
# for a datastore to use, will always use the smallest datastore first.
# ID for the file datastore (cannot change). Alphanumeric recommended.
matrix_media_repo_datastore_file_id: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'filestore.db', rounds=655555) | to_uuid }}"
# ID for the file datastore. Any unique alphanumeric string (e.g. generated via `pwgen -s 64 1`).
# This value CANNOT be changed after media has been stored — matrix-media-repo ties media to this ID.
matrix_media_repo_datastore_file_id: ""
# Datastores can be split into many areas when handling uploads. Media is still de-duplicated
# across all datastores (local content which duplicates remote content will re-use the remote
@@ -434,8 +435,9 @@ matrix_media_repo_datastore_file_for_kinds: ["thumbnails", "remote_media", "loca
# Path to datastore, relative to matrix-media-repo directory root
matrix_media_repo_datastore_opts_path: "/data/media"
# ID for the s3 datastore (cannot change). Alphanumeric recommended.
matrix_media_repo_datastore_s3_id: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 's3store.db', rounds=655555) | to_uuid }}"
# ID for the S3 datastore. Any unique alphanumeric string (e.g. generated via `pwgen -s 64 1`).
# This value CANNOT be changed after media has been stored — matrix-media-repo ties media to this ID.
matrix_media_repo_datastore_s3_id: ""
# Datastores can be split into many areas when handling uploads. Media is still de-duplicated
# across all datastores (local content which duplicates remote content will re-use the remote

2
roles/custom/matrix-media-repo/tasks/validate_config.yml
View File

@@ -15,6 +15,8 @@
- {'name': 'matrix_media_repo_database_hostname', when: true}
- {'name': 'matrix_media_repo_container_labels_traefik_internal_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_media_enabled }}"}
- {'name': 'matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled }}"}
- {'name': 'matrix_media_repo_datastore_file_id', when: "{{ (matrix_media_repo_datastore_file_for_kinds | length) > 0 }}"}
- {'name': 'matrix_media_repo_datastore_s3_id', when: "{{ (matrix_media_repo_datastore_s3_for_kinds | length) > 0 }}"}
- name: (Deprecation) Catch and report renamed matrix-media-repo settings
ansible.builtin.fail: