Automated MMR signing key generation process

2024-08-09 13:43:26 -05:00
parent 25b8f334a3
commit c3fd33566d
3 changed files with 58 additions and 3 deletions
--- a/roles/custom/matrix-media-repo/tasks/setup_install.yml
+++ b/roles/custom/matrix-media-repo/tasks/setup_install.yml
@ -77,6 +77,58 @@
      changed_when: true
      when: "matrix_media_repo_git_pull_results.changed | bool or matrix_media_repo_docker_image_check_result.stdout == ''"

+- name: Check existence of media-repo signing key
+  ansible.builtin.stat:
+    path: "{{ matrix_media_repo_config_path }}/{{ matrix_media_repo_identifier }}.signing.key"
+  register: matrix_media_repo_signing_key_stat
+
+- when: "matrix_media_repo_generate_signing_key | bool and not (matrix_media_repo_signing_key_stat.stat.exists | bool)"
+  block:
+    - name: Generate media-repo signing key
+      ansible.builtin.command:
+        cmd: |
+          {{ devture_systemd_docker_base_host_command_docker }} run
+          --rm
+          --name={{ matrix_media_repo_identifier }}
+          --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }}
+          --cap-drop=ALL
+          --mount type=bind,src={{ matrix_media_repo_config_path }},dst=/config
+          --workdir='/config'
+          --entrypoint='generate_signing_key'
+          {{ matrix_media_repo_docker_image }}
+          -output {{ matrix_media_repo_identifier }}.signing.key
+        creates: "{{ matrix_media_repo_config_path }}/{{ matrix_media_repo_identifier }}.signing.key"
+
+    - name: Merge media-repo signing key with homeserver signing key
+      ansible.builtin.command:
+        cmd: |
+          {{ devture_systemd_docker_base_host_command_docker }} run
+          --rm
+          --name={{ matrix_media_repo_identifier }}
+          --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }}
+          --cap-drop=ALL
+          --mount type=bind,src={{ matrix_media_repo_config_path }},dst=/config
+          --mount type=bind,src={{ matrix_base_data_path }},dst=/matrix
+          --workdir='/config'
+          --entrypoint='combine_signing_keys'
+          {{ matrix_media_repo_docker_image }}
+          -format {{ matrix_homeserver_implementation }} -output {{ matrix_media_repo_homeserver_signing_key }}.merged {{ matrix_media_repo_homeserver_signing_key }} {{ matrix_media_repo_identifier }}.signing.key
+        creates: "{{ matrix_media_repo_homeserver_signing_key }}."
+
+    - name: Backup existing homeserver signing key before replacing it
+      ansible.builtin.copy:
+        remote_src: true
+        src: "{{ matrix_media_repo_homeserver_signing_key }}"
+        dest: "{{ matrix_media_repo_homeserver_signing_key }}.{{ matrix_homeserver_implementation }}.backup"
+        mode: 0644
+        owner: "{{ matrix_user_username }}"
+        group: "{{ matrix_user_groupname }}"
+
+    - name: Replace homeserver signing key with merged signing key
+      ansible.builtin.command:
+        cmd: "mv {{ matrix_media_repo_homeserver_signing_key }}.merged {{ matrix_media_repo_homeserver_signing_key }}"
+        removes: "{{ matrix_media_repo_homeserver_signing_key }}.merged"
+
 - name: Ensure media-repo container network is created
  community.general.docker_network:
    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"