Kyle Isom
941c71f2d1
- Makefile: build/test/lint/generate/man/install/clean/dist/docker; CGO_ENABLED=1 throughout; VERSION from git describe --tags --always - Dockerfile: multi-stage (golang:1.26-bookworm builder -> debian:bookworm-slim runtime); non-root uid 10001 (mcias), VOLUME /data, EXPOSE 8443/9443; no toolchain in final image - dist/mcias.service: hardened systemd unit (ProtectSystem=strict, ProtectHome, PrivateTmp, NoNewPrivileges, MemoryDenyWriteExecute, CapabilityBoundingSet= empty, EnvironmentFile, LimitNOFILE=65536) - dist/mcias.env.example: passphrase env file template - dist/mcias.conf.example: fully-commented production TOML config - dist/mcias-dev.conf.example: local dev config (/tmp, short expiry) - dist/mcias.conf.docker.example: container config template - dist/install.sh: POSIX sh idempotent installer; creates mcias user/group, installs binaries, /etc/mcias, /var/lib/mcias, systemd unit, man pages; prints post-install instructions - man/man1/mciassrv.1: mdoc synopsis/config/API/signals/files - man/man1/mciasctl.1: mdoc all subcommands/env/examples - man/man1/mciasdb.1: mdoc trust model/safety/all subcommands - man/man1/mciasgrpcctl.1: mdoc gRPC commands/grpcurl example - README.md: user-facing quick-start, first-run setup, build instructions, CLI references, Docker deployment, security notes - .gitignore: added /bin/, dist/mcias_*.tar.gz, man/man1/*.gz
52 lines
1.4 KiB
Desktop File
52 lines
1.4 KiB
Desktop File
[Unit]
|
|
Description=MCIAS Authentication Server
|
|
Documentation=man:mciassrv(1)
|
|
After=network.target
|
|
# Require network to be available before starting.
|
|
# Remove if you bind only to loopback.
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=mcias
|
|
Group=mcias
|
|
|
|
# Configuration and secrets.
|
|
# /etc/mcias/env must contain MCIAS_MASTER_PASSPHRASE=<passphrase>
|
|
# See dist/mcias.env.example for the template.
|
|
EnvironmentFile=/etc/mcias/env
|
|
|
|
ExecStart=/usr/local/bin/mciassrv -config /etc/mcias/mcias.conf
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
|
|
# File descriptor limit. mciassrv keeps one fd per open connection plus
|
|
# the SQLite WAL files; 65536 is generous headroom for a personal server.
|
|
LimitNOFILE=65536
|
|
|
|
# Sandboxing. mcias does not need capabilities; it listens on ports > 1024.
|
|
# If you need port 443 or 8443 on a privileged port (< 1024), either:
|
|
# a) use a reverse proxy (recommended), or
|
|
# b) grant CAP_NET_BIND_SERVICE with: AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
CapabilityBoundingSet=
|
|
|
|
# Filesystem restrictions.
|
|
# mciassrv reads /etc/mcias (config, TLS cert/key) and writes /var/lib/mcias (DB).
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
PrivateTmp=true
|
|
ReadWritePaths=/var/lib/mcias
|
|
|
|
# Additional hardening.
|
|
NoNewPrivileges=true
|
|
PrivateDevices=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|