Kyle Isom
b0afe3b993
- Rename dist/ -> deploy/ with subdirs examples/, scripts/, systemd/ per standard repository layout - Update .gitignore: gitignore all of dist/ (build output only) - Makefile: all target is now vet->lint->test->build; add vet, proto-lint, devserver targets; CGO_ENABLED=0 for builds (modernc.org/sqlite is pure-Go, no C toolchain needed); CGO_ENABLED=1 retained for tests (race detector) - Dockerfile: builder -> golang:1.26-alpine, runtime -> alpine:3.21; drop libc6 dep; add /srv/mcias/certs and /srv/mcias/backups to image - deploy/systemd/mcias.service: add RestrictSUIDSGID=true - deploy/systemd/mcias-backup.service: new oneshot backup unit - deploy/systemd/mcias-backup.timer: daily 02:00 UTC, 5m jitter - deploy/scripts/install.sh: install backup units and enable timer; create certs/ and backups/ subdirs in /srv/mcias - buf.yaml: add proto linting config for proto-lint target - internal/db: add Snapshot and SnapshotDir methods (VACUUM INTO) - cmd/mciasdb: add snapshot subcommand; no master key required
18 lines
846 B
Plaintext
18 lines
846 B
Plaintext
# /srv/mcias/env — Environment file for mciassrv (systemd EnvironmentFile).
|
|
#
|
|
# This file is loaded by the mcias.service unit before the server starts.
|
|
# It must be readable only by root and the mcias service account:
|
|
#
|
|
# chmod 0640 /srv/mcias/env
|
|
# chown root:mcias /srv/mcias/env
|
|
#
|
|
# SECURITY: This file contains the master key passphrase. Treat it with
|
|
# the same care as a private key. Do not commit it to version control.
|
|
# Back it up to a secure offline location — losing this passphrase means
|
|
# losing access to all encrypted data in the database.
|
|
|
|
# Master key passphrase. Used to derive the AES-256 master key via Argon2id.
|
|
# Choose a long, random passphrase (e.g., generated by `openssl rand -base64 32`).
|
|
# This must match the passphrase_env setting in mcias.conf.
|
|
MCIAS_MASTER_PASSPHRASE=change-me-to-a-long-random-passphrase
|