Add WebAuthn config; Docker single-mount

- Add [webauthn] section to all config examples - Add active WebAuthn config to run/mcias.conf - Update Dockerfile to use /srv/mcias single mount - Add WebAuthn and TOTP sections to RUNBOOK.md - Fix TOTP QR display (template.URL type) - Add --force-rm to docker build in Makefile Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 18:57:06 -07:00
parent 37afc68287
commit 0b37fde155
9 changed files with 144 additions and 23 deletions
--- a/dist/mcias-dev.conf.example
+++ b/dist/mcias-dev.conf.example
@@ -41,3 +41,10 @@ threads = 4

 [master_key]
 passphrase_env = "MCIAS_MASTER_PASSPHRASE"
+
+# WebAuthn — passkey authentication for local development.
+# rp_origin includes the non-standard port since we're not behind a proxy.
+[webauthn]
+rp_id        = "localhost"
+rp_origin    = "https://localhost:8443"
+display_name = "MCIAS (dev)"
--- a/dist/mcias.conf.docker.example
+++ b/dist/mcias.conf.docker.example
@@ -48,3 +48,14 @@ threads = 4
 # Set it with: docker run -e MCIAS_MASTER_PASSPHRASE=your-passphrase ...
 # or with a Docker secret / Kubernetes secret.
 passphrase_env = "MCIAS_MASTER_PASSPHRASE"
+
+# ---------------------------------------------------------------------------
+# [webauthn] — FIDO2/WebAuthn passkey authentication (OPTIONAL)
+# ---------------------------------------------------------------------------
+# Uncomment to enable passwordless passkey login. Set rp_id to your domain
+# and rp_origin to the full HTTPS origin users access in their browser.
+#
+# [webauthn]
+# rp_id        = "auth.example.com"
+# rp_origin    = "https://auth.example.com"
+# display_name = "MCIAS"
--- a/dist/mcias.conf.example
+++ b/dist/mcias.conf.example
@@ -123,3 +123,24 @@ passphrase_env = "MCIAS_MASTER_PASSPHRASE"
 #
 # Uncomment and comment out passphrase_env to switch modes.
 # keyfile = "/srv/mcias/master.key"
+
+# ---------------------------------------------------------------------------
+# [webauthn] — FIDO2/WebAuthn passkey authentication (OPTIONAL)
+# ---------------------------------------------------------------------------
+# Enables passwordless passkey login and hardware security key 2FA.
+# If this section is omitted or rp_id/rp_origin are empty, WebAuthn is
+# disabled and passkey options will not appear in the UI.
+#
+# [webauthn]
+#
+# REQUIRED (if enabling). The Relying Party ID — typically the domain name
+# (without port or scheme). Must match the domain users see in their browser.
+# rp_id = "auth.example.com"
+#
+# REQUIRED (if enabling). The Relying Party Origin — the full origin URL
+# including scheme. Must be HTTPS. Include the port if non-standard (not 443).
+# rp_origin = "https://auth.example.com"
+#
+# OPTIONAL. Display name shown to users during passkey registration prompts.
+# Default: "MCIAS".
+# display_name = "MCIAS"