Automated MMR signing key generation process

docs/configuring-playbook-matrix-media-repo.md

@@ -27,8 +27,6 @@ The repo is pre-configured for integrating with the Postgres database, Traefik p
 
 By default, the media-repo will use the local filesystem for data storage. You can alternatively use a `s3` cloud backend as well. Access token caching is also enabled by default since the logout endpoints are proxied through the media repo.
 
-**Note:** If you want to use authenticated media endpoints ([MSC3916](https://github.com/matrix-org/matrix-spec-proposals/pull/3916)), you must configure a signing key for your MMR instance to authorize outbound federation requests. See https://docs.t2bot.io/matrix-media-repo/v1.3.5/installation/signing-key/ for more details on how to configure your server with a signing key.
-
 ## Configuring the media-repo
 
 Additional common configuration options:

group_vars/matrix_servers

@@ -3642,6 +3642,11 @@ matrix_media_repo_systemd_required_services_list_auto: |
     ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_media_repo_database_hostname == devture_postgres_connection_hostname else [])
   }}
 
+matrix_media_repo_generate_signing_key: "{{ matrix_homeserver_implementation == 'synapse' or matrix_homeserver_implementation == 'dendrite'}}"
+matrix_media_repo_homeserver_signing_key: "{{ matrix_media_repo_synapse_signing_key if matrix_homeserver_implementation == 'synapse' else (matrix_media_repo_dendrite_signing_key if matrix_homeserver_implementation == 'dendrite' else '') }}"
+matrix_media_repo_synapse_signing_key: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.key"
+matrix_media_repo_dendrite_signing_key: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem"
+
 # Auto configured server setup by the playbook
 matrix_media_repo_homeservers_auto:
   -  # Keep the dash from this line.
@@ -3666,7 +3671,7 @@ matrix_media_repo_homeservers_auto:
     # The signing key to use for authorizing outbound federation requests. If not specified,
     # requests will not be authorized. See https://docs.t2bot.io/matrix-media-repo/v1.3.5/installation/signing-key/
     # for details.
-    signingKeyPath: ""
+    signingKeyPath: "{{ '/config/' + matrix_media_repo_identifier + '.signing.key' if matrix_media_repo_generate_signing_key else '' }}"
 
 matrix_media_repo_homeserver_federation_enabled: "{{ matrix_homeserver_federation_enabled }}"
 

roles/custom/matrix-media-repo/tasks/setup_install.yml

@@ -77,6 +77,58 @@
       changed_when: true
       when: "matrix_media_repo_git_pull_results.changed | bool or matrix_media_repo_docker_image_check_result.stdout == ''"
 
+- name: Check existence of media-repo signing key
+  ansible.builtin.stat:
+    path: "{{ matrix_media_repo_config_path }}/{{ matrix_media_repo_identifier }}.signing.key"
+  register: matrix_media_repo_signing_key_stat
+
+- when: "matrix_media_repo_generate_signing_key | bool and not (matrix_media_repo_signing_key_stat.stat.exists | bool)"
+  block:
+    - name: Generate media-repo signing key
+      ansible.builtin.command:
+        cmd: |
+          {{ devture_systemd_docker_base_host_command_docker }} run
+          --rm
+          --name={{ matrix_media_repo_identifier }}
+          --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }}
+          --cap-drop=ALL
+          --mount type=bind,src={{ matrix_media_repo_config_path }},dst=/config
+          --workdir='/config'
+          --entrypoint='generate_signing_key'
+          {{ matrix_media_repo_docker_image }}
+          -output {{ matrix_media_repo_identifier }}.signing.key
+        creates: "{{ matrix_media_repo_config_path }}/{{ matrix_media_repo_identifier }}.signing.key"
+
+    - name: Merge media-repo signing key with homeserver signing key
+      ansible.builtin.command:
+        cmd: |
+          {{ devture_systemd_docker_base_host_command_docker }} run
+          --rm
+          --name={{ matrix_media_repo_identifier }}
+          --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }}
+          --cap-drop=ALL
+          --mount type=bind,src={{ matrix_media_repo_config_path }},dst=/config
+          --mount type=bind,src={{ matrix_base_data_path }},dst=/matrix
+          --workdir='/config'
+          --entrypoint='combine_signing_keys'
+          {{ matrix_media_repo_docker_image }}
+          -format {{ matrix_homeserver_implementation }} -output {{ matrix_media_repo_homeserver_signing_key }}.merged {{ matrix_media_repo_homeserver_signing_key }} {{ matrix_media_repo_identifier }}.signing.key
+        creates: "{{ matrix_media_repo_homeserver_signing_key }}."
+
+    - name: Backup existing homeserver signing key before replacing it
+      ansible.builtin.copy:
+        remote_src: true
+        src: "{{ matrix_media_repo_homeserver_signing_key }}"
+        dest: "{{ matrix_media_repo_homeserver_signing_key }}.{{ matrix_homeserver_implementation }}.backup"
+        mode: 0644
+        owner: "{{ matrix_user_username }}"
+        group: "{{ matrix_user_groupname }}"
+
+    - name: Replace homeserver signing key with merged signing key
+      ansible.builtin.command:
+        cmd: "mv {{ matrix_media_repo_homeserver_signing_key }}.merged {{ matrix_media_repo_homeserver_signing_key }}"
+        removes: "{{ matrix_media_repo_homeserver_signing_key }}.merged"
+
 - name: Ensure media-repo container network is created
   community.general.docker_network:
     enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"