From 168d5bea93804a25b0bba1d2e6021b34493953b7 Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Wed, 7 May 2025 21:08:40 +0200 Subject: [PATCH] Generate key --- .../tasks/setup_install.yml | 35 +++++++++++++++++++ .../templates/config.yaml.j2 | 8 ++--- 2 files changed, 39 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml index 79b51ab6f..77a7ff789 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -128,6 +128,41 @@ become: true become_user: "{{ matrix_user_name }}" +- name: Check if an authenticated media signing key exists + ansible.builtin.stat: + path: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk" + register: matrix_appservice_irc_stat_auth_media_key + +- when: not matrix_appservice_irc_stat_auth_media_key.stat.exists + block: + - name: Generate IRC appservice signing key for authenticated media + community.docker.docker_container: + name: "create-auth-media-jwk-key" + image: "{{ matrix_appservice_irc_docker_image }}" + cleanup: yes + network_mode: none + entrypoint: "/usr/local/bin/node" + command: > + -e "const webcrypto = require('node:crypto'); + async function main() { + const key = await webcrypto.subtle.generateKey({ + name: 'HMAC', + hash: 'SHA-512', + }, true, ['sign', 'verify']); + console.log(JSON.stringify(await webcrypto.subtle.exportKey('jwk', key), undefined, 4)); + } + main().then(() => process.exit(0)).catch(err => { throw err });" + detach: false + register: matrix_appservice_irc_jwk_result + + - name: Write auth media signing key to file + ansible.builtin.copy: + content: "{{ matrix_appservice_irc_jwk_result.container.Output }}" + dest: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk" + mode: "0644" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay. # Fix it. - name: (Migration) Ensure Appservice IRC passkey permissions are okay diff --git a/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 b/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 index fa9e52038..fdf29dcd9 100644 --- a/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 @@ -137,13 +137,13 @@ ircService: mediaProxy: # To generate a .jwk file: # $ node src/generate-signing-key.js > signingkey.jwk - signingKeyPath: "signingkey.jwk" + signingKeyPath: "/data/auth-media.jwk" # How long should the generated URLs be valid for - ttlSeconds: 3600 + ttlSeconds: 604800 # The port for the media proxy to listen on - bindPort: 11111 + bindPort: {{ matrix_media_repo_port | to_json }} # The publically accessible URL to the media proxy - publicUrl: "https://irc.bridge/media" + publicUrl: "{{ matrix_appservice_irc_homeserver_media_url }}" # Options here are generally only applicable to large-scale bridges and may have # consequences greater than other options in this configuration file.