Add WebAuthn config; Docker single-mount

- Add [webauthn] section to all config examples - Add active WebAuthn config to run/mcias.conf - Update Dockerfile to use /srv/mcias single mount - Add WebAuthn and TOTP sections to RUNBOOK.md - Fix TOTP QR display (template.URL type) - Add --force-rm to docker build in Makefile Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 18:57:06 -07:00
parent 37afc68287
commit 0b37fde155
9 changed files with 144 additions and 23 deletions
--- a/dist/mcias.conf.example
+++ b/dist/mcias.conf.example
@@ -123,3 +123,24 @@ passphrase_env = "MCIAS_MASTER_PASSPHRASE"
 #
 # Uncomment and comment out passphrase_env to switch modes.
 # keyfile = "/srv/mcias/master.key"
+
+# ---------------------------------------------------------------------------
+# [webauthn] — FIDO2/WebAuthn passkey authentication (OPTIONAL)
+# ---------------------------------------------------------------------------
+# Enables passwordless passkey login and hardware security key 2FA.
+# If this section is omitted or rp_id/rp_origin are empty, WebAuthn is
+# disabled and passkey options will not appear in the UI.
+#
+# [webauthn]
+#
+# REQUIRED (if enabling). The Relying Party ID — typically the domain name
+# (without port or scheme). Must match the domain users see in their browser.
+# rp_id = "auth.example.com"
+#
+# REQUIRED (if enabling). The Relying Party Origin — the full origin URL
+# including scheme. Must be HTTPS. Include the port if non-standard (not 443).
+# rp_origin = "https://auth.example.com"
+#
+# OPTIONAL. Display name shown to users during passkey registration prompts.
+# Default: "MCIAS".
+# display_name = "MCIAS"