Add WebAuthn config; Docker single-mount
- Add [webauthn] section to all config examples - Add active WebAuthn config to run/mcias.conf - Update Dockerfile to use /srv/mcias single mount - Add WebAuthn and TOTP sections to RUNBOOK.md - Fix TOTP QR display (template.URL type) - Add --force-rm to docker build in Makefile Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
28
Dockerfile
28
Dockerfile
@@ -6,7 +6,7 @@
|
||||
# The final image:
|
||||
# - Runs as non-root uid 10001 (mcias)
|
||||
# - Exposes port 8443 (REST/TLS) and 9443 (gRPC/TLS)
|
||||
# - Declares VOLUME /data for the SQLite database
|
||||
# - Declares VOLUME /srv/mcias for config, TLS, and database
|
||||
# - Does NOT contain the Go toolchain, source code, or build cache
|
||||
#
|
||||
# Build:
|
||||
@@ -15,8 +15,7 @@
|
||||
# Run:
|
||||
# docker run -d \
|
||||
# --name mcias \
|
||||
# -v /path/to/config:/etc/mcias:ro \
|
||||
# -v mcias-data:/data \
|
||||
# -v /srv/mcias:/srv/mcias \
|
||||
# -e MCIAS_MASTER_PASSPHRASE=your-passphrase \
|
||||
# -p 8443:8443 \
|
||||
# -p 9443:9443 \
|
||||
@@ -72,17 +71,15 @@ COPY --from=builder /out/mciasctl /usr/local/bin/mciasctl
|
||||
COPY --from=builder /out/mciasdb /usr/local/bin/mciasdb
|
||||
COPY --from=builder /out/mciasgrpcctl /usr/local/bin/mciasgrpcctl
|
||||
|
||||
# Create the config and data directories.
|
||||
# /etc/mcias is mounted read-only by the operator with the config file,
|
||||
# TLS cert, and TLS key.
|
||||
# /data is the SQLite database mount point.
|
||||
RUN mkdir -p /etc/mcias /data && \
|
||||
chown mcias:mcias /data && \
|
||||
chmod 0750 /data
|
||||
# Create the data directory.
|
||||
# /srv/mcias is mounted from the host with config, TLS certs, and database.
|
||||
RUN mkdir -p /srv/mcias && \
|
||||
chown mcias:mcias /srv/mcias && \
|
||||
chmod 0750 /srv/mcias
|
||||
|
||||
# Declare /data as a volume so the operator must explicitly mount it.
|
||||
# The SQLite database must persist across container restarts.
|
||||
VOLUME /data
|
||||
# Declare /srv/mcias as a volume so the operator must explicitly mount it.
|
||||
# Contains the config file, TLS cert/key, and SQLite database.
|
||||
VOLUME /srv/mcias
|
||||
|
||||
# REST/TLS port and gRPC/TLS port. These are documentation only; the actual
|
||||
# ports are set in the config file. Override by mounting a different config.
|
||||
@@ -93,7 +90,8 @@ EXPOSE 9443
|
||||
USER mcias
|
||||
|
||||
# Default entry point and config path.
|
||||
# The operator mounts /etc/mcias/mcias.conf from the host or a volume.
|
||||
# The operator mounts /srv/mcias from the host containing mcias.toml,
|
||||
# TLS cert/key, and the SQLite database.
|
||||
# See dist/mcias.conf.docker.example for a suitable template.
|
||||
ENTRYPOINT ["mciassrv"]
|
||||
CMD ["-config", "/etc/mcias/mcias.conf"]
|
||||
CMD ["-config", "/srv/mcias/mcias.toml"]
|
||||
|
||||
Reference in New Issue
Block a user