From c2cec1edf6163c4a4dff06c5be764a20d67d59e2 Mon Sep 17 00:00:00 2001 From: sim Date: Thu, 21 Nov 2024 13:56:40 +0000 Subject: [PATCH] Improve steps to set VAPID --- INSTALL.md | 17 ++++++++++++----- README.md | 21 ++++++++++++++++----- docker-compose.yml | 2 ++ mollysocket.service | 8 ++++++++ 4 files changed, 38 insertions(+), 10 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index 8d8b631..dda7e5c 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -44,12 +44,12 @@ Download the [systemd unit file](https://github.com/mollyim/mollysocket/raw/main ### Add a VAPID key -#### (Recommended) With systemd-creds +#### Option 1. With systemd-creds (Recommended) -You can use [systemd-creds](https://systemd.io/CREDENTIALS/) to encrypt the vapid key: +You can use [systemd-creds](https://systemd.io/CREDENTIALS/) to encrypt the vapid key. Run the following command as _root_ to get the systemd-creds parameters: ```console -# mollysocket vapid gen | systemd-creds encrypt --name=ms_vapid -p - - +# sudo -u mollysocket mollysocket vapid gen | systemd-creds encrypt --name=ms_vapid -p - - SetCredentialEncrypted=ms_vapid: \ k6iUCUh0RJCQyvL8k8q1UyAAAAABAAAADAAAABAAAAC1lFmbWAqWZ8dCCQkAAAAAgAAAA \ AAAAAALACMA0AAAACAAAAAAfgAg9uNpGmj8LL2nHE0ixcycvM3XkpOCaf+9rwGscwmqRJ \ @@ -73,9 +73,16 @@ SetCredentialEncrypted=ms_vapid: \ Environment=MOLLY_VAPID_KEY_FILE=%d/ms_vapid ``` -#### Plaintext +#### Option 2. Plaintext -It is also possible to pass this value in plaintext. Add the value of `mollysocket vapid gen` to an environment variable in your unit file: +It is also possible to pass the value of the vapid key in plaintext to an environment variable in your unit file. Run the following command as _mollysocket_ user: + +```console +$ mollysocket vapid gen +DSqYuWchrB6yIMYJtidvqANeRQic4uWy34afzZRsZnI +``` + +And use the output of the command in your systemd unit file: ```ini [Service] diff --git a/README.md b/README.md index 30f5bbb..7ff11de 100644 --- a/README.md +++ b/README.md @@ -70,11 +70,15 @@ To generate a new key, you can run this command `mollysocket vapid gen`. Or usin This value can be passed to mollysocket via a file, location given with `vapid_key_file` parameter, or directly in the `vapid_privkey` parameter. _The key file takes the precedence_. -#### If you want to use systemd-creds +#### With docker-compose -To pass this value to mollysocket, you may wish to use [systemd-creds](https://systemd.io/CREDENTIALS/). This allows you to store securely the VAPID key. +The easiest way to pass the VAPID key when using docker compose is to pass it with the `MOLLY_VAPID_PRIVKEY` environment variable. See [docker-compose.yml](docker-compose.yml). -If you have installed your systemd service in [user mode](https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Unit%20File%20Load%20Path), adds `--user` to systemd-creds commands. +#### With a systemd service + +If you use a [systemd service](mollysocket.service) for MollySocket, you may wish to use [systemd-creds](https://systemd.io/CREDENTIALS/) to store securely the VAPID key. + +If you have installed your systemd service in [user mode](https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Unit%20File%20Load%20Path), adds `--user` to systemd-creds commands. ```console $ # Service installed in user mode: @@ -105,7 +109,14 @@ SetCredentialEncrypted=ms_vapid: \ Environment=MOLLY_VAPID_KEY_FILE=%d/ms_vapid ``` -#### `allowed_endpoints` +Alternatively, you can store the VAPID key in cleartext in the systemd unit file: + +```ini +[Service] +Environment=MOLLY_VAPID_PRIVKEY=DSqYuWchrB6yIMYJtidvqANeRQic4uWy34afzZRsZnI +``` + +### `allowed_endpoints` These are the UnifiedPush endpoints that MollySocket may use to push notifications with. @@ -113,7 +124,7 @@ These are the UnifiedPush endpoints that MollySocket may use to push notificatio That's because, for security reasons, endpoints on your local network must be allowed explicitly. You just have to set the scheme (https), the domain and the port if required. For instance `allowed_endpoints=['https://push.mydomain.tld']` -#### `allowed_uuids` +### `allowed_uuids` You can allow registration for all accounts by setting `allowed_uuids` to `['*']`. Else set your account ids in the array: `['account_id1','account_id2']`. diff --git a/docker-compose.yml b/docker-compose.yml index a2c049b..2ab019d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -14,6 +14,8 @@ services: # Do not add space in the array ["http://a.tld","*"] - MOLLY_ALLOWED_ENDPOINTS=["*"] - MOLLY_ALLOWED_UUIDS=["*"] + # TODO: + #- MOLLY_VAPID_PRIVKEY="paste output of `docker compose mollysocket vapid gen` here" - MOLLY_HOST=0.0.0.0 - MOLLY_PORT=8020 - RUST_LOG=info diff --git a/mollysocket.service b/mollysocket.service index d30b82e..5545426 100644 --- a/mollysocket.service +++ b/mollysocket.service @@ -8,6 +8,14 @@ Environment="RUST_LOG=info" Environment="MOLLY_CONF=/opt/mollysocket/prod.toml" WorkingDirectory=/opt/mollysocket/ +# TODO: set VAPID key +# Option 1, with systemd-creds +# SetCredentialEncrypted=[...] output of `mollysocket vapid gen | systemd-creds encrypt --name=ms_vapid -p - -` +# Environment=MOLLY_VAPID_KEY_FILE=%d/ms_vapid +# +# Option 2, key stored in plaintext +# Environment=MOLLY_VAPID_PRIVKEY=[...] output of `mollysocket vapid gen` + User=mollysocket Group=mollysocket UMask=0007