diff --git a/.env.sample b/.env.sample index 1c8c840..e831f62 100644 --- a/.env.sample +++ b/.env.sample @@ -7,6 +7,10 @@ SECRET_DB_PASSWORD_VERSION=v1 SYNAPSE_ADMIN_EMAIL=admin@example.com +SECRET_REGISTRATION_SHARED_SECRET_VERSION=v1 +SECRET_MACAROON_SECRET_KEY_VERSION=v1 +SECRET_FORM_SECRET_VERSION=v1 + #DISABLE_FEDERATION=1 #COMPOSE_FILE="compose.yml:compose.keycloak.yml" diff --git a/compose.keycloak.yml b/compose.keycloak.yml index 13ca59f..25d7338 100644 --- a/compose.keycloak.yml +++ b/compose.keycloak.yml @@ -5,7 +5,10 @@ services: app: secrets: - db_password + - form_secret - keycloak_client_secret + - macaroon_secret_key + - registration_shared_secret environment: - KEYCLOAK_ENABLED - KEYCLOAK_NAME diff --git a/compose.turn.yml b/compose.turn.yml index f3bf297..898840f 100644 --- a/compose.turn.yml +++ b/compose.turn.yml @@ -5,6 +5,9 @@ services: app: secrets: - db_password + - form_secret + - macaroon_secret_key + - registration_shared_secret - turn_shared_secret environment: - TURN_ALLOW_GUESTS diff --git a/compose.yml b/compose.yml index ab3879c..1206d19 100644 --- a/compose.yml +++ b/compose.yml @@ -31,6 +31,9 @@ services: - "data:/data" secrets: - db_password + - registration_shared_secret + - macaroon_secret_key + - form_secret environment: - DISABLE_FEDERATION - DOMAIN @@ -100,3 +103,12 @@ secrets: db_password: external: true name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} + registration_shared_secret: + external: true + name: ${STACK_NAME}_db_password_${SECRET_REGISTRATION_SHARED_SECRET_VERSION} + macaroon_secret_key: + external: true + name: ${STACK_NAME}_db_password_${SECRET_MACAROON_SECRET_KEY_VERSION} + form_secret: + external: true + name: ${STACK_NAME}_db_password_${SECRET_FORM_SECRET_VERSION} diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl index cf8bc8f..9f54e8b 100644 --- a/entrypoint.sh.tmpl +++ b/entrypoint.sh.tmpl @@ -4,4 +4,8 @@ # default user permissions for the synapse user chown 991:991 /data +if [[ ! -f /data/{{ env "DOMAIN" }}.signing.key ]]; then + /start.py generate +fi + /start.py diff --git a/homeserver.yaml.tmpl b/homeserver.yaml.tmpl index 6237a45..605ce91 100644 --- a/homeserver.yaml.tmpl +++ b/homeserver.yaml.tmpl @@ -1210,7 +1210,7 @@ turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }} # If set, allows registration of standard or admin accounts by anyone who # has the shared secret, even if registration is otherwise disabled. # -registration_shared_secret: "G:4AX-+1LBJehgt6=gi^+^T73~zhmJfW4iNP2f#3wZY8icB.;w" +registration_shared_secret: "{{ secret "registration_shared_secret" }}" # Set the number of bcrypt rounds used to generate password hash. # Larger numbers increase the work factor needed to generate the hash. @@ -1444,13 +1444,13 @@ room_prejoin_state: # the registration_shared_secret is used, if one is given; otherwise, # a secret key is derived from the signing key. # -macaroon_secret_key: "KyMrrJ:uvm4_89*CEYh;o*.WeWZJ^p0p*:w*G7^*,EC.EEin8@" +macaroon_secret_key: "{{ secret "macaroon_secret_key" }}" # a secret which is used to calculate HMACs for form values, to stop # falsification of values. Must be specified for the User Consent # forms to work. # -form_secret: "I@#lMS0V3@HRB~b0nvA&Di29uK^l5K@Sm=Ima+:.CKlldwP6&s" +form_secret: "{{ secret "form_secret" }}" ## Signing Keys ##