Kyle Isom
941c71f2d1
- Makefile: build/test/lint/generate/man/install/clean/dist/docker; CGO_ENABLED=1 throughout; VERSION from git describe --tags --always - Dockerfile: multi-stage (golang:1.26-bookworm builder -> debian:bookworm-slim runtime); non-root uid 10001 (mcias), VOLUME /data, EXPOSE 8443/9443; no toolchain in final image - dist/mcias.service: hardened systemd unit (ProtectSystem=strict, ProtectHome, PrivateTmp, NoNewPrivileges, MemoryDenyWriteExecute, CapabilityBoundingSet= empty, EnvironmentFile, LimitNOFILE=65536) - dist/mcias.env.example: passphrase env file template - dist/mcias.conf.example: fully-commented production TOML config - dist/mcias-dev.conf.example: local dev config (/tmp, short expiry) - dist/mcias.conf.docker.example: container config template - dist/install.sh: POSIX sh idempotent installer; creates mcias user/group, installs binaries, /etc/mcias, /var/lib/mcias, systemd unit, man pages; prints post-install instructions - man/man1/mciassrv.1: mdoc synopsis/config/API/signals/files - man/man1/mciasctl.1: mdoc all subcommands/env/examples - man/man1/mciasdb.1: mdoc trust model/safety/all subcommands - man/man1/mciasgrpcctl.1: mdoc gRPC commands/grpcurl example - README.md: user-facing quick-start, first-run setup, build instructions, CLI references, Docker deployment, security notes - .gitignore: added /bin/, dist/mcias_*.tar.gz, man/man1/*.gz
49 lines
1.4 KiB
Plaintext
49 lines
1.4 KiB
Plaintext
# mcias.conf.docker.example — Config template for container deployment
|
|
#
|
|
# Mount this file into the container at /etc/mcias/mcias.conf:
|
|
#
|
|
# docker run -d \
|
|
# --name mcias \
|
|
# -v /path/to/mcias.conf:/etc/mcias/mcias.conf:ro \
|
|
# -v /path/to/certs:/etc/mcias:ro \
|
|
# -v mcias-data:/data \
|
|
# -e MCIAS_MASTER_PASSPHRASE=your-passphrase \
|
|
# -p 8443:8443 \
|
|
# -p 9443:9443 \
|
|
# mcias:latest
|
|
#
|
|
# The container runs as uid 10001 (mcias). Ensure that:
|
|
# - /data volume is writable by uid 10001
|
|
# - TLS cert and key are readable by uid 10001
|
|
#
|
|
# TLS: The server performs TLS termination inside the container; there is no
|
|
# plain-text mode. Mount your certificate and key under /etc/mcias/.
|
|
# For Let's Encrypt certificates, mount the live/ directory read-only.
|
|
|
|
[server]
|
|
listen_addr = "0.0.0.0:8443"
|
|
grpc_addr = "0.0.0.0:9443"
|
|
tls_cert = "/etc/mcias/server.crt"
|
|
tls_key = "/etc/mcias/server.key"
|
|
|
|
[database]
|
|
# VOLUME /data is declared in the Dockerfile; map a named volume here.
|
|
path = "/data/mcias.db"
|
|
|
|
[tokens]
|
|
issuer = "https://auth.example.com"
|
|
default_expiry = "720h"
|
|
admin_expiry = "8h"
|
|
service_expiry = "8760h"
|
|
|
|
[argon2]
|
|
time = 3
|
|
memory = 65536
|
|
threads = 4
|
|
|
|
[master_key]
|
|
# Pass the passphrase via the MCIAS_MASTER_PASSPHRASE environment variable.
|
|
# Set it with: docker run -e MCIAS_MASTER_PASSPHRASE=your-passphrase ...
|
|
# or with a Docker secret / Kubernetes secret.
|
|
passphrase_env = "MCIAS_MASTER_PASSPHRASE"
|