From c3fd33566d565131df059c24b670c0500fe8eb34 Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Fri, 9 Aug 2024 13:43:26 -0500 Subject: [PATCH] Automated MMR signing key generation process --- .../configuring-playbook-matrix-media-repo.md | 2 - group_vars/matrix_servers | 7 ++- .../matrix-media-repo/tasks/setup_install.yml | 52 +++++++++++++++++++ 3 files changed, 58 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-matrix-media-repo.md b/docs/configuring-playbook-matrix-media-repo.md index 20a0aae0e..27681bc79 100644 --- a/docs/configuring-playbook-matrix-media-repo.md +++ b/docs/configuring-playbook-matrix-media-repo.md @@ -27,8 +27,6 @@ The repo is pre-configured for integrating with the Postgres database, Traefik p By default, the media-repo will use the local filesystem for data storage. You can alternatively use a `s3` cloud backend as well. Access token caching is also enabled by default since the logout endpoints are proxied through the media repo. -**Note:** If you want to use authenticated media endpoints ([MSC3916](https://github.com/matrix-org/matrix-spec-proposals/pull/3916)), you must configure a signing key for your MMR instance to authorize outbound federation requests. See https://docs.t2bot.io/matrix-media-repo/v1.3.5/installation/signing-key/ for more details on how to configure your server with a signing key. - ## Configuring the media-repo Additional common configuration options: diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2869596a6..ed10a1983 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3642,6 +3642,11 @@ matrix_media_repo_systemd_required_services_list_auto: | ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_media_repo_database_hostname == devture_postgres_connection_hostname else []) }} +matrix_media_repo_generate_signing_key: "{{ matrix_homeserver_implementation == 'synapse' or matrix_homeserver_implementation == 'dendrite'}}" +matrix_media_repo_homeserver_signing_key: "{{ matrix_media_repo_synapse_signing_key if matrix_homeserver_implementation == 'synapse' else (matrix_media_repo_dendrite_signing_key if matrix_homeserver_implementation == 'dendrite' else '') }}" +matrix_media_repo_synapse_signing_key: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.key" +matrix_media_repo_dendrite_signing_key: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" + # Auto configured server setup by the playbook matrix_media_repo_homeservers_auto: - # Keep the dash from this line. @@ -3666,7 +3671,7 @@ matrix_media_repo_homeservers_auto: # The signing key to use for authorizing outbound federation requests. If not specified, # requests will not be authorized. See https://docs.t2bot.io/matrix-media-repo/v1.3.5/installation/signing-key/ # for details. - signingKeyPath: "" + signingKeyPath: "{{ '/config/' + matrix_media_repo_identifier + '.signing.key' if matrix_media_repo_generate_signing_key else '' }}" matrix_media_repo_homeserver_federation_enabled: "{{ matrix_homeserver_federation_enabled }}" diff --git a/roles/custom/matrix-media-repo/tasks/setup_install.yml b/roles/custom/matrix-media-repo/tasks/setup_install.yml index a25b3f130..dfed94ee0 100755 --- a/roles/custom/matrix-media-repo/tasks/setup_install.yml +++ b/roles/custom/matrix-media-repo/tasks/setup_install.yml @@ -77,6 +77,58 @@ changed_when: true when: "matrix_media_repo_git_pull_results.changed | bool or matrix_media_repo_docker_image_check_result.stdout == ''" +- name: Check existence of media-repo signing key + ansible.builtin.stat: + path: "{{ matrix_media_repo_config_path }}/{{ matrix_media_repo_identifier }}.signing.key" + register: matrix_media_repo_signing_key_stat + +- when: "matrix_media_repo_generate_signing_key | bool and not (matrix_media_repo_signing_key_stat.stat.exists | bool)" + block: + - name: Generate media-repo signing key + ansible.builtin.command: + cmd: | + {{ devture_systemd_docker_base_host_command_docker }} run + --rm + --name={{ matrix_media_repo_identifier }} + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} + --cap-drop=ALL + --mount type=bind,src={{ matrix_media_repo_config_path }},dst=/config + --workdir='/config' + --entrypoint='generate_signing_key' + {{ matrix_media_repo_docker_image }} + -output {{ matrix_media_repo_identifier }}.signing.key + creates: "{{ matrix_media_repo_config_path }}/{{ matrix_media_repo_identifier }}.signing.key" + + - name: Merge media-repo signing key with homeserver signing key + ansible.builtin.command: + cmd: | + {{ devture_systemd_docker_base_host_command_docker }} run + --rm + --name={{ matrix_media_repo_identifier }} + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} + --cap-drop=ALL + --mount type=bind,src={{ matrix_media_repo_config_path }},dst=/config + --mount type=bind,src={{ matrix_base_data_path }},dst=/matrix + --workdir='/config' + --entrypoint='combine_signing_keys' + {{ matrix_media_repo_docker_image }} + -format {{ matrix_homeserver_implementation }} -output {{ matrix_media_repo_homeserver_signing_key }}.merged {{ matrix_media_repo_homeserver_signing_key }} {{ matrix_media_repo_identifier }}.signing.key + creates: "{{ matrix_media_repo_homeserver_signing_key }}." + + - name: Backup existing homeserver signing key before replacing it + ansible.builtin.copy: + remote_src: true + src: "{{ matrix_media_repo_homeserver_signing_key }}" + dest: "{{ matrix_media_repo_homeserver_signing_key }}.{{ matrix_homeserver_implementation }}.backup" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + + - name: Replace homeserver signing key with merged signing key + ansible.builtin.command: + cmd: "mv {{ matrix_media_repo_homeserver_signing_key }}.merged {{ matrix_media_repo_homeserver_signing_key }}" + removes: "{{ matrix_media_repo_homeserver_signing_key }}.merged" + - name: Ensure media-repo container network is created community.general.docker_network: enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"