From 827c09394c93f69d88a42423c679d288a2e9cc12 Mon Sep 17 00:00:00 2001
From: Matthew Hodgson <matthew@matrix.org>
Date: Tue, 5 Nov 2024 16:16:19 +0000
Subject: [PATCH] blank secrets to aid bootstrap

---
 README.md                          |  5 +++--
 compose.yml                        |  5 ++++-
 init/init.sh                       | 10 +++++-----
 secrets/livekit/livekit_api_key    |  0
 secrets/livekit/livekit_secret_key |  0
 secrets/postgres/postgres_password |  0
 secrets/synapse/signing.key        |  0
 7 files changed, 12 insertions(+), 8 deletions(-)
 create mode 100644 secrets/livekit/livekit_api_key
 create mode 100644 secrets/livekit/livekit_secret_key
 create mode 100644 secrets/postgres/postgres_password
 create mode 100644 secrets/synapse/signing.key

diff --git a/README.md b/README.md
index a0f150c..446e76e 100644
--- a/README.md
+++ b/README.md
@@ -56,5 +56,6 @@ docker compose exec mas mas-cli -c /data/config.yaml doctor
  * [x] sort out the networking
  * [x] make nginx do something useful when running on a local workstation
  * [ ] hook up letsencrypt to nginx properly
- * [ ] hook up livekit properly
- * [ ] make it work
+ * [x] hook up livekit properly
+ * [x] make it work
+ 
\ No newline at end of file
diff --git a/compose.yml b/compose.yml
index 0765a3f..52b4f0c 100644
--- a/compose.yml
+++ b/compose.yml
@@ -6,13 +6,15 @@ secrets:
   postgres_password:
     file: secrets/postgres/postgres_password
   synapse_signing_key:
-    file: secrets/synapse/${DOMAIN}.signing.key
+    file: secrets/synapse/signing.key
   livekit_api_key:
     file: secrets/livekit/livekit_api_key
   livekit_secret_key:
     file: secrets/livekit/livekit_secret_key
 
 services:
+  # XXX: consider factor out secret generation from the compose.yml
+
   # dependencies for optionally generating default configs + secrets
   generate-synapse-secrets:
     image: ghcr.io/element-hq/synapse:latest
@@ -287,6 +289,7 @@ services:
     build:
       # evil hack to pull in bash so we can run an entrypoint.sh
       # FIXME: it's a bit wasteful; the alternative would be to modify lk-jwt-service to pick up secrets from disk
+      # Another alternative would be to factor out secret generation from compose.yml and create an .env up front
       dockerfile_inline: |
         FROM ghcr.io/element-hq/lk-jwt-service:latest-ci AS builder
         FROM alpine:latest
diff --git a/init/init.sh b/init/init.sh
index 69950fe..6d8b8c9 100755
--- a/init/init.sh
+++ b/init/init.sh
@@ -9,7 +9,7 @@ set -e
 # by this point, synapse & mas should generated default config files & secrets
 # via generate-synapse-secrets.sh and generate-mas-secrets.sh
 
-if [[ ! -f /secrets/synapse/${DOMAIN}.signing.key ]] # TODO: check for existence of other secrets?
+if [[ ! -s /secrets/synapse/signing.key ]] # TODO: check for existence of other secrets?
 then
 	# extract synapse secrets from the config and move them into ./secrets
 	echo "Extracting generated synapse secrets..."
@@ -19,7 +19,7 @@ then
 		yq .$secret /data/synapse/homeserver.yaml.default > /secrets/synapse/$secret
 	done
 	# ...and files too, just to keep all our secrets in one place
-	mv /data/synapse/${DOMAIN}.signing.key /secrets/synapse
+	mv /data/synapse/${DOMAIN}.signing.key /secrets/synapse/signing.key
 fi
 
 if [[ ! -f /secrets/mas/secrets ]] # TODO: check for existence of other secrets?
@@ -36,18 +36,18 @@ then
 	head -c16 /dev/urandom | base64 | tr -d '=' > /secrets/mas/client.secret
 fi
 
-if [[ ! -f /secrets/postgres/postgres_password ]]
+if [[ ! -s /secrets/postgres/postgres_password ]]
 then
 	mkdir -p /secrets/postgres
 	head -c16 /dev/urandom | base64 | tr -d '=' > /secrets/postgres/postgres_password
 fi
 
 mkdir -p /secrets/livekit
-if [[ ! -f /secrets/livekit/livekit_api_key ]]
+if [[ ! -s /secrets/livekit/livekit_api_key ]]
 then
 	(echo -n API; (head -c8 /dev/urandom | base64)) | tr -d '=' > /secrets/livekit/livekit_api_key
 fi
-if [[ ! -f /secrets/livekit/livekit_secret_key ]]
+if [[ ! -s /secrets/livekit/livekit_secret_key ]]
 then
 	head -c28 /dev/urandom | base64 | tr -d '=' > /secrets/livekit/livekit_secret_key
 fi
diff --git a/secrets/livekit/livekit_api_key b/secrets/livekit/livekit_api_key
new file mode 100644
index 0000000..e69de29
diff --git a/secrets/livekit/livekit_secret_key b/secrets/livekit/livekit_secret_key
new file mode 100644
index 0000000..e69de29
diff --git a/secrets/postgres/postgres_password b/secrets/postgres/postgres_password
new file mode 100644
index 0000000..e69de29
diff --git a/secrets/synapse/signing.key b/secrets/synapse/signing.key
new file mode 100644
index 0000000..e69de29