Add deployment artifacts and rift config (Phase 13)

Dockerfiles for API server and web UI (multi-stage, alpine:3.21, non-root mcr user). systemd units with security hardening. Idempotent install script. Rift-specific config with MCIAS service token, TLS paths, and Docker compose with loopback port bindings for mc-proxy fronting (28443/29443/28080). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 22:03:36 -07:00
parent 75c8b110da
commit 7255bba890
10 changed files with 334 additions and 3 deletions
--- a/deploy/docker/docker-compose-rift.yml
+++ b/deploy/docker/docker-compose-rift.yml
@@ -0,0 +1,46 @@
+# MCR on rift — container registry.
+#
+# Two containers: API server (mcrsrv) and web UI (mcr-web).
+# Both bind to loopback; mc-proxy handles external TLS ingress.
+#
+# Usage:
+#   docker compose -f deploy/docker/docker-compose-rift.yml up -d
+#
+# Prerequisites:
+#   - /srv/mcr/mcr.toml (copy from deploy/mcr-rift.toml)
+#   - /srv/mcr/certs/ with TLS cert+key
+#   - MCIAS service token for the 'mcr' account
+
+services:
+  mcr:
+    build:
+      context: ../..
+      dockerfile: Dockerfile.api
+    container_name: mcr
+    restart: unless-stopped
+    user: "0:0"
+    ports:
+      - "127.0.0.1:28443:8443"
+      - "127.0.0.1:29443:9443"
+    volumes:
+      - /srv/mcr:/srv/mcr
+    healthcheck:
+      test: ["CMD", "mcrsrv", "status", "--addr", "https://localhost:8443", "--ca-cert", "/srv/mcr/certs/ca.pem"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+
+  mcr-web:
+    build:
+      context: ../..
+      dockerfile: Dockerfile.web
+    container_name: mcr-web
+    restart: unless-stopped
+    user: "0:0"
+    ports:
+      - "127.0.0.1:28080:8080"
+    volumes:
+      - /srv/mcr:/srv/mcr
+    depends_on:
+      - mcr