Ensure Meilisearch master key is valid

2026-01-09 09:21:03 +01:00 · 2025-12-07 11:12:45 +01:00
parent f34d5a57d0
commit 4a94be10ed
4 changed files with 39 additions and 2 deletions
--- a/monica/CHANGELOG.md
+++ b/monica/CHANGELOG.md
@@ -1,3 +1,6 @@
+## v5.0_beta5-8 (07-12-2025)
+- Generate and persist a secure Meilisearch master key when none is provided or when configured keys are too short.
+
 ## v5.0_beta5-7 (06-12-2025)
 - Minor bugs fixed
 ## v5.0_beta5-6 (17-11-2025)
--- a/monica/README.md
+++ b/monica/README.md
@@ -112,7 +112,7 @@ Configure SMTP settings to enable:

 This addon supports custom scripts and environment variables through the `addon_config` mapping:

- **Meilisearch full-text search**: The addon ships with an embedded [Meilisearch](https://www.meilisearch.com/) service that Monica uses by default. The search API listens on `http://127.0.0.1:7700` inside the container. Override `MEILISEARCH_URL` via `env_vars` if you prefer an external Meilisearch instance—the init script will detect that and skip starting the bundled daemon. You can further tweak Meilisearch by defining extra environment variables through the `env_vars` option if needed. To secure (or disable) Meilisearch authentication without custom env vars, set the `meilisearch_key` add-on option; the init script will pass it to both Monica and the bundled Meilisearch instance.
+- **Meilisearch full-text search**: The addon ships with an embedded [Meilisearch](https://www.meilisearch.com/) service that Monica uses by default. The search API listens on `http://127.0.0.1:7700` inside the container. Override `MEILISEARCH_URL` via `env_vars` if you prefer an external Meilisearch instance—the init script will detect that and skip starting the bundled daemon. You can further tweak Meilisearch by defining extra environment variables through the `env_vars` option if needed. To secure (or disable) Meilisearch authentication without custom env vars, set the `meilisearch_key` add-on option; the init script will pass it to both Monica and the bundled Meilisearch instance. If you prefer to manage the key yourself, you can also provide `MEILI_MASTER_KEY` through `env_vars`, which the add-on now uses as a fallback when no `meilisearch_key` is configured. When neither is set (or they are too short), the add-on now generates a persistent 32-byte key in `/data/meilisearch_master_key` so Meilisearch always starts with a valid master key.
 - **Custom scripts**: See [Running Custom Scripts in Addons](https://github.com/alexbelgium/hassio-addons/wiki/Running-custom-scripts-in-Addons)
 - **env_vars option**: Use the add-on `env_vars` option to pass extra environment variables (uppercase or lowercase names). See https://github.com/alexbelgium/hassio-addons/wiki/Add-Environment-variables-to-your-Addon-2 for details.

--- a/monica/config.yaml
+++ b/monica/config.yaml
@@ -108,5 +108,5 @@ services:
  - mysql:want
 slug: monica
 url: https://github.com/alexbelgium/hassio-addons/tree/master/monica
-version: v5.0_beta5-7
+version: v5.0_beta5-8
 webui: "[PROTO:ssl]://[HOST]:[PORT:80]"
--- a/monica/rootfs/etc/cont-init.d/99-run.sh
+++ b/monica/rootfs/etc/cont-init.d/99-run.sh
@@ -144,6 +144,40 @@ if [[ "${MEILISEARCH_LOCAL}" == true ]]; then
    mkdir -p "${MEILISEARCH_DB_PATH}"

    MEILISEARCH_ENV_KEY="$(bashio::config 'meilisearch_key')"
+    GENERATED_MEILI_KEY_FILE="/data/meilisearch_master_key"
+
+    # Treat unset/"null" config as empty so we don't feed an invalid key to Meilisearch
+    if [ "${MEILISEARCH_ENV_KEY}" = "null" ]; then
+        MEILISEARCH_ENV_KEY=""
+    fi
+
+    # Reject too-short keys so the service can start even with a bad config
+    if [ -n "${MEILISEARCH_ENV_KEY}" ] && [ "${#MEILISEARCH_ENV_KEY}" -lt 16 ]; then
+        bashio::log.warning "Configured meilisearch_key is shorter than 16 bytes; generating a secure key instead."
+        MEILISEARCH_ENV_KEY=""
+    fi
+
+    # Fall back to MEILI_MASTER_KEY when present and valid
+    if [ -z "${MEILISEARCH_ENV_KEY}" ]; then
+        if [ -n "${MEILI_MASTER_KEY:-}" ] && [ "${#MEILI_MASTER_KEY}" -ge 16 ]; then
+            MEILISEARCH_ENV_KEY="${MEILI_MASTER_KEY}"
+        elif [ -n "${MEILI_MASTER_KEY:-}" ] && [ "${#MEILI_MASTER_KEY}" -lt 16 ]; then
+            bashio::log.warning "Provided MEILI_MASTER_KEY is shorter than 16 bytes; generating a secure key instead."
+        fi
+    fi
+
+    # Persist and reuse a generated key when none was provided
+    if [ -z "${MEILISEARCH_ENV_KEY}" ]; then
+        if [ -s "${GENERATED_MEILI_KEY_FILE}" ]; then
+            MEILISEARCH_ENV_KEY="$(cat "${GENERATED_MEILI_KEY_FILE}")"
+        else
+            MEILISEARCH_ENV_KEY="$(openssl rand -hex 32)"
+            echo "${MEILISEARCH_ENV_KEY}" > "${GENERATED_MEILI_KEY_FILE}"
+            chmod 600 "${GENERATED_MEILI_KEY_FILE}"
+            bashio::log.info "Generated persistent Meilisearch master key at ${GENERATED_MEILI_KEY_FILE}."
+        fi
+    fi
+
    MEILISEARCH_KEY="${MEILISEARCH_ENV_KEY}"
    export MEILISEARCH_KEY
    MEILISEARCH_ENVIRONMENT="${MEILI_ENV:-production}"