Align with engineering standards (steps 1-5)

- Rename dist/ -> deploy/ with subdirs examples/, scripts/, systemd/ per standard repository layout - Update .gitignore: gitignore all of dist/ (build output only) - Makefile: all target is now vet->lint->test->build; add vet, proto-lint, devserver targets; CGO_ENABLED=0 for builds (modernc.org/sqlite is pure-Go, no C toolchain needed); CGO_ENABLED=1 retained for tests (race detector) - Dockerfile: builder -> golang:1.26-alpine, runtime -> alpine:3.21; drop libc6 dep; add /srv/mcias/certs and /srv/mcias/backups to image - deploy/systemd/mcias.service: add RestrictSUIDSGID=true - deploy/systemd/mcias-backup.service: new oneshot backup unit - deploy/systemd/mcias-backup.timer: daily 02:00 UTC, 5m jitter - deploy/scripts/install.sh: install backup units and enable timer; create certs/ and backups/ subdirs in /srv/mcias - buf.yaml: add proto linting config for proto-lint target - internal/db: add Snapshot and SnapshotDir methods (VACUUM INTO) - cmd/mciasdb: add snapshot subcommand; no master key required
2026-03-16 20:26:43 -07:00
parent 446b3df52d
commit b0afe3b993
15 changed files with 293 additions and 62 deletions
--- a/deploy/examples/mcias-dev.conf.example
+++ b/deploy/examples/mcias-dev.conf.example
@@ -0,0 +1,50 @@
+# mcias-dev.conf — Local development configuration for mciassrv
+#
+# Suitable for running mciassrv on a developer workstation.
+# DO NOT use this configuration in production:
+#   - Tokens expire quickly (for rapid test iteration).
+#   - The master key passphrase is trivial.
+#   - TLS paths point to local self-signed certificates.
+#
+# Generate a self-signed certificate for local development:
+#   openssl req -x509 -newkey ed25519 -days 365 \
+#     -keyout /tmp/mcias-dev.key -out /tmp/mcias-dev.crt \
+#     -subj "/CN=localhost" -nodes
+#
+# Set the master passphrase:
+#   export MCIAS_MASTER_PASSPHRASE=devpassphrase
+#
+# Start the server:
+#   mciassrv -config /path/to/mcias-dev.toml
+
+[server]
+listen_addr = "127.0.0.1:8443"
+grpc_addr   = "127.0.0.1:9443"
+tls_cert    = "/tmp/mcias-dev.crt"
+tls_key     = "/tmp/mcias-dev.key"
+# trusted_proxy not set — direct local development, no reverse proxy.
+
+[database]
+path = "/tmp/mcias-dev.db"
+
+[tokens]
+issuer         = "https://localhost:8443"
+default_expiry = "1h"
+admin_expiry   = "30m"
+service_expiry = "24h"
+
+[argon2]
+# OWASP minimums maintained even in dev; do not reduce further.
+time    = 2
+memory  = 65536
+threads = 4
+
+[master_key]
+passphrase_env = "MCIAS_MASTER_PASSPHRASE"
+
+# WebAuthn — passkey authentication for local development.
+# rp_origin includes the non-standard port since we're not behind a proxy.
+[webauthn]
+rp_id        = "localhost"
+rp_origin    = "https://localhost:8443"
+display_name = "MCIAS (dev)"