Improve steps to set VAPID

mollyim · Nov 21, 2024 · c2cec1e · c2cec1e
1 parent 11a9e48
commit c2cec1e
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 10 deletions.
diff --git a/INSTALL.md b/INSTALL.md
@@ -44,12 +44,12 @@ Download the [systemd unit file](https://github.com/mollyim/mollysocket/raw/main
 
 ### Add a VAPID key
 
-#### (Recommended) With systemd-creds
+#### Option 1. With systemd-creds (Recommended)
 
-You can use [systemd-creds](https://systemd.io/CREDENTIALS/) to encrypt the vapid key:
+You can use [systemd-creds](https://systemd.io/CREDENTIALS/) to encrypt the vapid key. Run the following command as _root_ to get the systemd-creds parameters:
 
 ```console
-# mollysocket vapid gen | systemd-creds encrypt --name=ms_vapid -p - -
+# sudo -u mollysocket mollysocket vapid gen | systemd-creds encrypt --name=ms_vapid -p - -
 SetCredentialEncrypted=ms_vapid: \
         k6iUCUh0RJCQyvL8k8q1UyAAAAABAAAADAAAABAAAAC1lFmbWAqWZ8dCCQkAAAAAgAAAA \
         AAAAAALACMA0AAAACAAAAAAfgAg9uNpGmj8LL2nHE0ixcycvM3XkpOCaf+9rwGscwmqRJ \
@@ -73,9 +73,16 @@ SetCredentialEncrypted=ms_vapid: \
 Environment=MOLLY_VAPID_KEY_FILE=%d/ms_vapid
 ```
 
-#### Plaintext
+#### Option 2. Plaintext
 
-It is also possible to pass this value in plaintext. Add the value of `mollysocket vapid gen` to an environment variable in your unit file:
+It is also possible to pass the value of the vapid key in plaintext to an environment variable in your unit file. Run the following command as _mollysocket_ user:
+
+```console
+$ mollysocket vapid gen
+DSqYuWchrB6yIMYJtidvqANeRQic4uWy34afzZRsZnI
+```
+
+And use the output of the command in your systemd unit file:
 
 ```ini
 [Service]

diff --git a/README.md b/README.md
@@ -70,11 +70,15 @@ To generate a new key, you can run this command `mollysocket vapid gen`. Or usin
 
 This value can be passed to mollysocket via a file, location given with `vapid_key_file` parameter, or directly in the `vapid_privkey` parameter. _The key file takes the precedence_.
 
-#### If you want to use systemd-creds
+#### With docker-compose
 
-To pass this value to mollysocket, you may wish to use [systemd-creds](https://systemd.io/CREDENTIALS/). This allows you to store securely the VAPID key.
+The easiest way to pass the VAPID key when using docker compose is to pass it with the `MOLLY_VAPID_PRIVKEY` environment variable. See [docker-compose.yml](docker-compose.yml).
 
-If you have installed your systemd service in [user mode](https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Unit%20File%20Load%20Path), adds `--user` to systemd-creds commands.
+#### With a systemd service
+
+If you use a [systemd service](mollysocket.service) for MollySocket, you may wish to use [systemd-creds](https://systemd.io/CREDENTIALS/) to store securely the VAPID key.
+
+<sup>If you have installed your systemd service in [user mode](https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Unit%20File%20Load%20Path), adds `--user` to systemd-creds commands.</sup>
 
 ```console
 $ # Service installed in user mode:
@@ -105,15 +109,22 @@ SetCredentialEncrypted=ms_vapid: \
 Environment=MOLLY_VAPID_KEY_FILE=%d/ms_vapid
 ```
 
-#### `allowed_endpoints`
+Alternatively, you can store the VAPID key in cleartext in the systemd unit file:
+
+```ini
+[Service]
+Environment=MOLLY_VAPID_PRIVKEY=DSqYuWchrB6yIMYJtidvqANeRQic4uWy34afzZRsZnI
+```
+
+### `allowed_endpoints`
 
 These are the UnifiedPush endpoints that MollySocket may use to push notifications with. 
 
 ⚠️ **If you self-host your push server, add your push server to the `allowed_endpoints`.** ⚠️
 
 That's because, for security reasons, endpoints on your local network must be allowed explicitly. You just have to set the scheme (https), the domain and the port if required. For instance `allowed_endpoints=['https://push.mydomain.tld']`
 
-#### `allowed_uuids`
+### `allowed_uuids`
 
 You can allow registration for all accounts by setting `allowed_uuids` to `['*']`. Else set your account ids in the array: `['account_id1','account_id2']`.
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -14,6 +14,8 @@ services:
       # Do not add space in the array ["http://a.tld","*"]
       - MOLLY_ALLOWED_ENDPOINTS=["*"]
       - MOLLY_ALLOWED_UUIDS=["*"]
+      # TODO:
+      #- MOLLY_VAPID_PRIVKEY="paste output of `docker compose mollysocket vapid gen` here"
       - MOLLY_HOST=0.0.0.0
       - MOLLY_PORT=8020
       - RUST_LOG=info

diff --git a/mollysocket.service b/mollysocket.service
@@ -8,6 +8,14 @@ Environment="RUST_LOG=info"
 Environment="MOLLY_CONF=/opt/mollysocket/prod.toml"
 WorkingDirectory=/opt/mollysocket/
 
+# TODO: set VAPID key
+# Option 1, with systemd-creds
+# SetCredentialEncrypted=[...] output of `mollysocket vapid gen | systemd-creds encrypt --name=ms_vapid -p - -`
+# Environment=MOLLY_VAPID_KEY_FILE=%d/ms_vapid
+#
+# Option 2, key stored in plaintext
+# Environment=MOLLY_VAPID_PRIVKEY=[...] output of `mollysocket vapid gen`
+
 User=mollysocket
 Group=mollysocket
 UMask=0007