background: I might want to integrate offline master key functionality into ansible-relayor [1].
I added (preliminary) OfflineMasterKey support to ansible-relayor [1] - in fact it will become the only option eventually as it make many things actually simpler, would be great if someone could take a look and let me know whether it looks reasonable.
The security critical parts are probably - key generation [2] - copying of key material to the relay [3]
I copy/expose the following files to the relay:
[ 'ed25519_master_id_public_key', 'ed25519_signing_cert', 'ed25519_signing_secret_key', 'secret_id_key', 'secret_onion_key', 'secret_onion_key_ntor']
[1] https://github.com/nusenu/ansible-relayor/commit/2c4040df7848f382ced02b43f35... [2] https://github.com/nusenu/ansible-relayor/blob/2c4040df7848f382ced02b43f35ca... [3] https://github.com/nusenu/ansible-relayor/blob/2c4040df7848f382ced02b43f35ca...