From e0e801956a8896d95266f1f2209f43a6413b002e Mon Sep 17 00:00:00 2001 From: Till JS Date: Wed, 8 Apr 2026 15:58:19 +0200 Subject: [PATCH] fix(mac-mini): pass MANA_AUTH_KEK through to mana-auth container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mana-auth's config.ts has hard-failed startup since commit e9915428c (phase 2 encryption vault) when MANA_AUTH_KEK is unset in production. .env.macmini.example documents the variable, but the docker-compose service definition for mana-auth never had a corresponding MANA_AUTH_KEK: ${MANA_AUTH_KEK} line in its environment block, so even when the variable was set in the host .env, it never reached the container. Result: every restart since yesterday looped on "MANA_AUTH_KEK env var is required in production". Added the env passthrough alongside BETTER_AUTH_SECRET with an inline comment pointing at the generation command + service CLAUDE.md. Operator action required on the Mac Mini: KEK=$(openssl rand -base64 32) echo "MANA_AUTH_KEK=$KEK" >> .env ./scripts/mac-mini/build-app.sh mana-auth # or compose up -d mana-auth Then back the value up — it cannot be rotated today without re-wrapping all existing user vaults (no background re-wrap job yet, kek_id column on encryption_vaults is reserved for the future migration path). --- docker-compose.macmini.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docker-compose.macmini.yml b/docker-compose.macmini.yml index 39eb05e97..2ed8479ca 100644 --- a/docker-compose.macmini.yml +++ b/docker-compose.macmini.yml @@ -271,10 +271,12 @@ services: MANA_SUBSCRIPTIONS_URL: http://mana-subscriptions:3063 SYNC_DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD:-mana123}@postgres:5432/mana_platform BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET:-${JWT_SECRET:-your-jwt-secret-change-me}} + # KEK for the encryption-vault feature (Phase 9). Required in production + # — generate with `openssl rand -base64 32`. See services/mana-auth/CLAUDE.md. + MANA_AUTH_KEK: ${MANA_AUTH_KEK} MANA_NOTIFY_URL: http://mana-notify:3013 - SYNAPSE_OIDC_CLIENT_SECRET: ${SYNAPSE_OIDC_CLIENT_SECRET:-} MAX_DAILY_SIGNUPS: ${MAX_DAILY_SIGNUPS:-0} - CORS_ORIGINS: https://mana.how,https://calendar.mana.how,https://chat.mana.how,https://clock.mana.how,https://contacts.mana.how,https://context.mana.how,https://docs.mana.how,https://element.mana.how,https://inventar.mana.how,https://link.mana.how,https://cards.mana.how,https://matrix.mana.how,https://music.mana.how,https://nutriphi.mana.how,https://photos.mana.how,https://picture.mana.how,https://planta.mana.how,https://playground.mana.how,https://presi.mana.how,https://questions.mana.how,https://skilltree.mana.how,https://storage.mana.how,https://times.mana.how,https://todo.mana.how,https://traces.mana.how,https://zitare.mana.how + CORS_ORIGINS: https://mana.how,https://calendar.mana.how,https://chat.mana.how,https://clock.mana.how,https://contacts.mana.how,https://context.mana.how,https://docs.mana.how,https://inventar.mana.how,https://cards.mana.how,https://music.mana.how,https://nutriphi.mana.how,https://photos.mana.how,https://picture.mana.how,https://planta.mana.how,https://playground.mana.how,https://presi.mana.how,https://questions.mana.how,https://skilltree.mana.how,https://storage.mana.how,https://times.mana.how,https://todo.mana.how,https://traces.mana.how,https://zitare.mana.how ports: - "3001:3001" healthcheck: