matrix-bridge-hookshot: normalize generated passkey ownership

Similar to c6d33b819. See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5033
matrix-authentication-service: normalize generated key ownership
2026-03-29 19:31:25 +03:00 · 2026-03-16 16:50:40 +02:00 · 2026-03-16 16:49:51 +02:00
2 changed files with 35 additions and 0 deletions
--- a/roles/custom/matrix-authentication-service/tasks/install.yml
+++ b/roles/custom/matrix-authentication-service/tasks/install.yml
@@ -33,6 +33,25 @@
      loop_control:
        loop_var: private_key_definition

+    # We intentionally do a single fixup pass here (instead of in `prepare_key.yml`)
+    # so that we reconcile both newly generated keys and any pre-existing keys with
+    # incorrect ownership/mode in one place.
+    #
+    # This primarily protects against setups where `become_user` is effectively not
+    # honored (for example due to inventory misconfiguration such as `ansible_become=false`),
+    # which can lead to host-side key generation creating root-owned files.
+    #
+    # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5033
+    - name: Ensure Matrix Authentication Service private keys have correct ownership and mode
+      ansible.builtin.file:
+        path: "{{ matrix_authentication_service_data_keys_path }}/{{ item.key_file }}"
+        state: file
+        mode: '0600'
+        owner: "{{ matrix_user_name }}"
+        group: "{{ matrix_group_name }}"
+      with_items: "{{ matrix_authentication_service_key_management_list }}"
+      register: matrix_authentication_service_private_keys_result
+
 - name: Ensure Matrix Authentication Service configuration installed
  ansible.builtin.copy:
    content: "{{ matrix_authentication_service_configuration | to_nice_yaml(indent=2, width=999999) }}"
@@ -117,4 +136,5 @@
        or matrix_authentication_service_support_files_result.changed | default(false)
        or matrix_authentication_service_systemd_service_result.changed | default(false)
        or matrix_authentication_service_container_image_pull_result.changed | default(false)
+        or matrix_authentication_service_private_keys_result.changed | default(false)
      }}
--- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml
@@ -76,6 +76,20 @@
  become_user: "{{ matrix_user_name }}"
  when: "not hookshot_passkey_file.stat.exists"

+# We intentionally reconcile the passkey ownership/mode after generation,
+# because some setups can end up creating host-side files as the SSH user
+# instead of `matrix` when `become_user` is effectively not honored.
+#
+# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5033
+- name: Ensure hookshot passkey has correct ownership and mode
+  ansible.builtin.file:
+    path: "{{ matrix_hookshot_base_path }}/passkey.pem"
+    state: file
+    mode: '0600'
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  register: matrix_hookshot_passkey_result
+
 - name: Ensure hookshot config.yml installed if provided
  ansible.builtin.copy:
    content: "{{ matrix_hookshot_configuration | to_nice_yaml(indent=2, width=999999) }}"
@@ -154,6 +168,7 @@
        matrix_hookshot_config_result.changed | default(false)
        or matrix_hookshot_registration_result.changed | default(false)
        or matrix_hookshot_github_key_result.changed | default(false)
+        or matrix_hookshot_passkey_result.changed | default(false)
        or matrix_hookshot_support_files_result.changed | default(false)
        or matrix_hookshot_systemd_service_result.changed | default(false)
        or matrix_hookshot_container_image_pull_result.changed | default(false)