blank secrets to aid bootstrap

README.md

@@ -56,5 +56,6 @@ docker compose exec mas mas-cli -c /data/config.yaml doctor
  * [x] sort out the networking
  * [x] make nginx do something useful when running on a local workstation
  * [ ] hook up letsencrypt to nginx properly
- * [ ] hook up livekit properly
- * [ ] make it work
+ * [x] hook up livekit properly
+ * [x] make it work
+ 

compose.yml

@@ -6,13 +6,15 @@ secrets:
   postgres_password:
     file: secrets/postgres/postgres_password
   synapse_signing_key:
-    file: secrets/synapse/${DOMAIN}.signing.key
+    file: secrets/synapse/signing.key
   livekit_api_key:
     file: secrets/livekit/livekit_api_key
   livekit_secret_key:
     file: secrets/livekit/livekit_secret_key
 
 services:
+  # XXX: consider factor out secret generation from the compose.yml
+
   # dependencies for optionally generating default configs + secrets
   generate-synapse-secrets:
     image: ghcr.io/element-hq/synapse:latest
@@ -287,6 +289,7 @@ services:
     build:
       # evil hack to pull in bash so we can run an entrypoint.sh
       # FIXME: it's a bit wasteful; the alternative would be to modify lk-jwt-service to pick up secrets from disk
+      # Another alternative would be to factor out secret generation from compose.yml and create an .env up front
       dockerfile_inline: |
         FROM ghcr.io/element-hq/lk-jwt-service:latest-ci AS builder
         FROM alpine:latest

init/init.sh

@@ -9,7 +9,7 @@ set -e
 # by this point, synapse & mas should generated default config files & secrets
 # via generate-synapse-secrets.sh and generate-mas-secrets.sh
 
-if [[ ! -f /secrets/synapse/${DOMAIN}.signing.key ]] # TODO: check for existence of other secrets?
+if [[ ! -s /secrets/synapse/signing.key ]] # TODO: check for existence of other secrets?
 then
 	# extract synapse secrets from the config and move them into ./secrets
 	echo "Extracting generated synapse secrets..."
@@ -19,7 +19,7 @@ then
 		yq .$secret /data/synapse/homeserver.yaml.default > /secrets/synapse/$secret
 	done
 	# ...and files too, just to keep all our secrets in one place
-	mv /data/synapse/${DOMAIN}.signing.key /secrets/synapse
+	mv /data/synapse/${DOMAIN}.signing.key /secrets/synapse/signing.key
 fi
 
 if [[ ! -f /secrets/mas/secrets ]] # TODO: check for existence of other secrets?
@@ -36,18 +36,18 @@ then
 	head -c16 /dev/urandom | base64 | tr -d '=' > /secrets/mas/client.secret
 fi
 
-if [[ ! -f /secrets/postgres/postgres_password ]]
+if [[ ! -s /secrets/postgres/postgres_password ]]
 then
 	mkdir -p /secrets/postgres
 	head -c16 /dev/urandom | base64 | tr -d '=' > /secrets/postgres/postgres_password
 fi
 
 mkdir -p /secrets/livekit
-if [[ ! -f /secrets/livekit/livekit_api_key ]]
+if [[ ! -s /secrets/livekit/livekit_api_key ]]
 then
 	(echo -n API; (head -c8 /dev/urandom | base64)) | tr -d '=' > /secrets/livekit/livekit_api_key
 fi
-if [[ ! -f /secrets/livekit/livekit_secret_key ]]
+if [[ ! -s /secrets/livekit/livekit_secret_key ]]
 then
 	head -c28 /dev/urandom | base64 | tr -d '=' > /secrets/livekit/livekit_secret_key
 fi