Generate key

roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml

@@ -128,6 +128,41 @@
   become: true
   become_user: "{{ matrix_user_name }}"
 
+- name: Check if an authenticated media signing key exists
+  ansible.builtin.stat:
+    path: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk"
+  register: matrix_appservice_irc_stat_auth_media_key
+
+- when: not matrix_appservice_irc_stat_auth_media_key.stat.exists
+  block:
+  - name: Generate IRC appservice signing key for authenticated media
+    community.docker.docker_container:
+      name: "create-auth-media-jwk-key"
+      image: "{{ matrix_appservice_irc_docker_image }}"
+      cleanup: yes
+      network_mode: none
+      entrypoint: "/usr/local/bin/node"
+      command: >
+        -e "const webcrypto = require('node:crypto');
+        async function main() {
+            const key = await webcrypto.subtle.generateKey({
+                name: 'HMAC',
+                hash: 'SHA-512',
+            }, true, ['sign', 'verify']);
+            console.log(JSON.stringify(await webcrypto.subtle.exportKey('jwk', key), undefined, 4));
+        }
+        main().then(() => process.exit(0)).catch(err => { throw err });"
+      detach: false
+    register: matrix_appservice_irc_jwk_result
+
+  - name: Write auth media signing key to file
+    ansible.builtin.copy:
+      content: "{{ matrix_appservice_irc_jwk_result.container.Output }}"
+      dest: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk"
+      mode: "0644"
+      owner: "{{ matrix_user_username }}"
+      group: "{{ matrix_user_groupname }}"
+
 # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay.
 # Fix it.
 - name: (Migration) Ensure Appservice IRC passkey permissions are okay

roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2

@@ -137,13 +137,13 @@ ircService:
   mediaProxy:
     # To generate a .jwk file:
     # $ node src/generate-signing-key.js > signingkey.jwk
-    signingKeyPath: "signingkey.jwk"
+    signingKeyPath: "/data/auth-media.jwk"
     # How long should the generated URLs be valid for
-    ttlSeconds: 3600
+    ttlSeconds: 604800
     # The port for the media proxy to listen on
-    bindPort: 11111
+    bindPort: {{ matrix_media_repo_port | to_json }}
     # The publically accessible URL to the media proxy
-    publicUrl: "https://irc.bridge/media"
+    publicUrl: "{{ matrix_appservice_irc_homeserver_media_url }}"
 
 # Options here are generally only applicable to large-scale bridges and may have
 # consequences greater than other options in this configuration file.