Align with engineering standards (steps 1-5)

- Rename dist/ -> deploy/ with subdirs examples/, scripts/, systemd/ per standard repository layout - Update .gitignore: gitignore all of dist/ (build output only) - Makefile: all target is now vet->lint->test->build; add vet, proto-lint, devserver targets; CGO_ENABLED=0 for builds (modernc.org/sqlite is pure-Go, no C toolchain needed); CGO_ENABLED=1 retained for tests (race detector) - Dockerfile: builder -> golang:1.26-alpine, runtime -> alpine:3.21; drop libc6 dep; add /srv/mcias/certs and /srv/mcias/backups to image - deploy/systemd/mcias.service: add RestrictSUIDSGID=true - deploy/systemd/mcias-backup.service: new oneshot backup unit - deploy/systemd/mcias-backup.timer: daily 02:00 UTC, 5m jitter - deploy/scripts/install.sh: install backup units and enable timer; create certs/ and backups/ subdirs in /srv/mcias - buf.yaml: add proto linting config for proto-lint target - internal/db: add Snapshot and SnapshotDir methods (VACUUM INTO) - cmd/mciasdb: add snapshot subcommand; no master key required
2026-03-16 20:26:43 -07:00
parent 446b3df52d
commit b0afe3b993
15 changed files with 293 additions and 62 deletions
--- a/deploy/examples/mcias.conf.docker.example
+++ b/deploy/examples/mcias.conf.docker.example
@@ -0,0 +1,61 @@
+# mcias.conf.docker.example — Config template for container deployment
+#
+# Mount this file into the container at /srv/mcias/mcias.toml:
+#
+#   docker run -d \
+#     --name mcias \
+#     -v /srv/mcias:/srv/mcias \
+#     -e MCIAS_MASTER_PASSPHRASE=your-passphrase \
+#     -p 8443:8443 \
+#     -p 9443:9443 \
+#     mcias:latest
+#
+# The container runs as uid 10001 (mcias). Ensure that:
+#   - /srv/mcias is writable by uid 10001
+#   - TLS cert and key are readable by uid 10001
+#
+# TLS: The server performs TLS termination inside the container; there is no
+# plain-text mode. Place your certificate and key under /srv/mcias/.
+# For Let's Encrypt certificates, mount the live/ directory read-only.
+
+[server]
+listen_addr = "0.0.0.0:8443"
+grpc_addr   = "0.0.0.0:9443"
+tls_cert    = "/srv/mcias/server.crt"
+tls_key     = "/srv/mcias/server.key"
+# If a reverse proxy (nginx, Caddy, Traefik) sits in front of this container,
+# set trusted_proxy to its container IP so real client IPs are used for rate
+# limiting and audit logging. Leave commented out for direct exposure.
+# trusted_proxy = "172.17.0.1"
+
+[database]
+# All data lives under /srv/mcias for a single-volume deployment.
+path = "/srv/mcias/mcias.db"
+
+[tokens]
+issuer         = "https://auth.example.com"
+default_expiry = "168h"
+admin_expiry   = "8h"
+service_expiry = "8760h"
+
+[argon2]
+time    = 3
+memory  = 65536
+threads = 4
+
+[master_key]
+# Pass the passphrase via the MCIAS_MASTER_PASSPHRASE environment variable.
+# Set it with: docker run -e MCIAS_MASTER_PASSPHRASE=your-passphrase ...
+# or with a Docker secret / Kubernetes secret.
+passphrase_env = "MCIAS_MASTER_PASSPHRASE"
+
+# ---------------------------------------------------------------------------
+# [webauthn] — FIDO2/WebAuthn passkey authentication (OPTIONAL)
+# ---------------------------------------------------------------------------
+# Uncomment to enable passwordless passkey login. Set rp_id to your domain
+# and rp_origin to the full HTTPS origin users access in their browser.
+#
+# [webauthn]
+# rp_id        = "auth.example.com"
+# rp_origin    = "https://auth.example.com"
+# display_name = "MCIAS"