Migrate to mcdsl: auth, config, csrf, web

- Replace internal/auth with mcdsl/auth - Replace internal/config with mcdsl/config (embed config.Base) - Replace internal/webserver/csrf.go with mcdsl/csrf - Use mcdsl/web for session cookies and template rendering - Use mcdsl/httpserver for server setup and StatusWriter - Remove direct mcias client library dependency - Update .golangci.yaml to v2 format (formatters section) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 17:53:15 -07:00
commit 0cada7e64e
21 changed files with 1042 additions and 0 deletions
--- a/deploy/examples/mcat.toml.example
+++ b/deploy/examples/mcat.toml.example
@@ -0,0 +1,13 @@
+[server]
+listen_addr = ":8443"
+tls_cert    = "/srv/mcat/certs/cert.pem"
+tls_key     = "/srv/mcat/certs/key.pem"
+
+[mcias]
+server_url   = "https://mcias.metacircular.net:8443"
+ca_cert      = ""
+service_name = "mcat"
+tags         = []
+
+[log]
+level = "info"
--- a/deploy/scripts/install.sh
+++ b/deploy/scripts/install.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+set -eu
+
+SERVICE=mcat
+SRV_DIR="/srv/${SERVICE}"
+BIN_DIR="/usr/local/bin"
+
+# Create system user (idempotent).
+if ! id "${SERVICE}" >/dev/null 2>&1; then
+    useradd --system --shell /usr/sbin/nologin --home-dir "${SRV_DIR}" "${SERVICE}"
+    echo "Created system user: ${SERVICE}"
+fi
+
+# Install binary.
+install -m 0755 "${SERVICE}" "${BIN_DIR}/${SERVICE}"
+echo "Installed ${BIN_DIR}/${SERVICE}"
+
+# Create data directory structure.
+install -d -o "${SERVICE}" -g "${SERVICE}" -m 0700 "${SRV_DIR}"
+install -d -o "${SERVICE}" -g "${SERVICE}" -m 0700 "${SRV_DIR}/certs"
+
+# Copy example config if none exists.
+if [ ! -f "${SRV_DIR}/${SERVICE}.toml" ]; then
+    install -o "${SERVICE}" -g "${SERVICE}" -m 0600 \
+        deploy/examples/${SERVICE}.toml.example "${SRV_DIR}/${SERVICE}.toml"
+    echo "Installed example config to ${SRV_DIR}/${SERVICE}.toml"
+fi
+
+# Install systemd units.
+install -m 0644 deploy/systemd/${SERVICE}.service /etc/systemd/system/
+systemctl daemon-reload
+echo "Installed systemd unit. Enable with: systemctl enable --now ${SERVICE}"
--- a/deploy/systemd/mcat.service
+++ b/deploy/systemd/mcat.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=mcat - MCIAS Login Policy Tester
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=mcat
+Group=mcat
+ExecStart=/usr/local/bin/mcat server --config /srv/mcat/mcat.toml
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+ReadWritePaths=/srv/mcat
+
+[Install]
+WantedBy=multi-user.target