# MCIAS Deployment Guide ## Overview This document provides guidance on deploying the Metacircular Identity and Access System (MCIAS) in a production environment. MCIAS is designed to be deployed behind a reverse proxy that handles TLS termination and security headers. ## Prerequisites - Linux server with systemd - Nginx or another reverse proxy for TLS termination - User and group `mcias` created on the system - Go 1.23 or later for building from source ## Installation 1. Build the MCIAS binary: ```bash go build -o mcias ./cmd/mcias ``` 2. Create the installation directory: ```bash sudo mkdir -p /opt/mcias ``` 3. Copy the binary and service file: ```bash sudo cp mcias /opt/mcias/ sudo cp mcias.service /etc/systemd/system/ ``` 4. Set appropriate permissions: ```bash sudo chown -R mcias:mcias /opt/mcias sudo chmod 755 /opt/mcias/mcias ``` 5. Initialize the database: ```bash sudo -u mcias /opt/mcias/mcias init --db /opt/mcias/mcias.db ``` 6. Enable and start the service: ```bash sudo systemctl daemon-reload sudo systemctl enable mcias sudo systemctl start mcias ``` ## Reverse Proxy Configuration MCIAS is designed to run behind a reverse proxy that handles TLS termination and security headers. Below is an example Nginx configuration: ```nginx server { listen 443 ssl http2; server_name mcias.example.com; # SSL configuration ssl_certificate /etc/letsencrypt/live/mcias.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mcias.example.com/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305'; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on; # Security headers add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; add_header X-XSS-Protection "1; mode=block" always; add_header Content-Security-Policy "default-src 'self';" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Proxy to MCIAS location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # Redirect HTTP to HTTPS server { listen 80; server_name mcias.example.com; return 301 https://$host$request_uri; } ``` ## Security Considerations 1. **TLS Configuration**: The reverse proxy should use modern TLS protocols (TLSv1.2 and TLSv1.3) and strong cipher suites. 2. **Security Headers**: The reverse proxy should add security headers to all responses, as shown in the Nginx configuration example. 3. **Firewall Configuration**: Configure your firewall to only allow connections to the MCIAS server from the reverse proxy. 4. **Regular Updates**: Keep the MCIAS software, operating system, and reverse proxy up to date with security patches. 5. **Monitoring**: Set up monitoring for the MCIAS service and review logs regularly for security events. ## Logging MCIAS logs to the systemd journal by default. You can view logs using: ```bash sudo journalctl -u mcias ``` Security events are logged with the prefix `SECURITY_EVENT:` and are in JSON format for easy parsing. ## Backup and Recovery Regularly back up the MCIAS database file (/opt/mcias/mcias.db) to ensure you can recover in case of data loss. Example backup script: ```bash #!/bin/bash BACKUP_DIR="/var/backups/mcias" TIMESTAMP=$(date +%Y%m%d%H%M%S) mkdir -p $BACKUP_DIR sqlite3 /opt/mcias/mcias.db ".backup $BACKUP_DIR/mcias_$TIMESTAMP.db" ```