From a98964d36976c5f4a68ebf109457dafeca9a4dce Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Tue, 13 Jun 2023 08:13:15 -0400
Subject: synapse: store signing key in host_vars

---
 roles/synapse/README.md      |  3 +++
 roles/synapse/tasks/main.yml | 14 ++++++++------
 2 files changed, 11 insertions(+), 6 deletions(-)

(limited to 'roles')

diff --git a/roles/synapse/README.md b/roles/synapse/README.md
index 7e6255e..19cec2c 100644
--- a/roles/synapse/README.md
+++ b/roles/synapse/README.md
@@ -18,6 +18,8 @@ If your Matrix domain differs from the public hostname of your synapse server
 in order to federate with other instances. See the [sample webserver playbook](../../playbooks/webserver_public_example.yml)
 for an example of how to do this.
 
+The secrets can be generated using `python -m synapse.app.homeserver --generate-config`.
+
 
 Variables
 ---------
@@ -44,6 +46,7 @@ Variable                             | Default
 `synapse_registration_shared_secret` | &nbsp;                                       | Secret passphrase to allow registration even when disabled (optional)
 `synapse_macaroon_secret_key`        | &nbsp;                                       | Secret signing key for various tokens (required)
 `synapse_form_secret`                | &nbsp;                                       | Secret key for various form HMACs (required)
+`synapse_signing_key`                | &nbsp;                                       | Signing key (required)
 `synapse_turn_host`                  | `{{ coturn_realm }}`                         | TURN server hostname
 `synapse_turn_secret`                | `{{ coturn_auth_secret }}`                   | TURN server shared secret
 `synapse_enable_email_notifications` | yes                                          | Enable email notifications
diff --git a/roles/synapse/tasks/main.yml b/roles/synapse/tasks/main.yml
index febe3c6..b8140c4 100644
--- a/roles/synapse/tasks/main.yml
+++ b/roles/synapse/tasks/main.yml
@@ -31,18 +31,20 @@
     dest: '{{ synapse_home }}/{{ item }}'
     owner: '{{ synapse_user }}'
     group: '{{ synapse_user }}'
-    mode: 0600
+    mode: 0644
   notify: restart synapse
   loop:
     - homeserver.yaml
     - logging.config
 
 - name: generate signing key
-  shell:
-    cmd: >-
-      source {{ synapse_venv }}/bin/activate &&
-      python -m synapse.app.homeserver --config-path {{ synapse_home }}/homeserver.yaml --generate-keys
-    creates: '{{ synapse_home }}/{{ synapse_domain }}.signing.key'
+  copy:
+    content: |
+      {{ synapse_signing_key }}
+    dest: '{{ synapse_home }}/{{ synapse_domain }}.signing.key'
+    owner: '{{ synapse_user }}'
+    group: '{{ synapse_user }}'
+    mode: 0644
   become: yes
   become_user: '{{ synapse_user }}'
 
-- 
cgit