Add deployment artifacts and rift config (Phase 13)

Dockerfiles for API server and web UI (multi-stage, alpine:3.21, non-root mcr user). systemd units with security hardening. Idempotent install script. Rift-specific config with MCIAS service token, TLS paths, and Docker compose with loopback port bindings for mc-proxy fronting (28443/29443/28080). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 22:03:36 -07:00
parent 75c8b110da
commit 7255bba890
10 changed files with 334 additions and 3 deletions
--- a/deploy/mcr-rift.toml
+++ b/deploy/mcr-rift.toml
@@ -0,0 +1,37 @@
+# MCR configuration for rift.
+#
+# Container registry fronted by mc-proxy:
+#   :8443 → mcr API (L4 passthrough via mc-proxy)
+#   :443  → mcr-web (L7 via mc-proxy)
+#
+# Copy to /srv/mcr/mcr.toml on rift before starting.
+
+[server]
+listen_addr      = ":8443"
+grpc_addr        = ":9443"
+tls_cert         = "/srv/mcr/certs/mcr.pem"
+tls_key          = "/srv/mcr/certs/mcr.key"
+read_timeout     = "30s"
+write_timeout    = "0s"
+idle_timeout     = "120s"
+shutdown_timeout = "60s"
+
+[database]
+path = "/srv/mcr/mcr.db"
+
+[storage]
+layers_path  = "/srv/mcr/layers"
+uploads_path = "/srv/mcr/uploads"
+
+[mcias]
+server_url    = "https://mcias.metacircular.net:8443"
+ca_cert       = "/srv/mcr/certs/ca.pem"
+service_token = "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL21jaWFzLm1ldGFjaXJjdWxhci5uZXQiLCJzdWIiOiIwYWM3NDk3ZS0wZTE5LTRhOWMtYWI3Yi03YWZjMzc0ZDU3NzIiLCJleHAiOjE4MDYwMzczNzMsIm5iZiI6MTc3NDUwMTM3MywiaWF0IjoxNzc0NTAxMzczLCJqdGkiOiI1NTM0ZDU0OS1kYzY5LTRiNzctYTY5MC0xNzQ3NjE0MDUzYzEiLCJyb2xlcyI6bnVsbH0.bsnoGMrFzJJCIanGuiAvpqmlO2OssvFjYynQgiSt_TPMuLxziRuwuRIL9C_kRnHdF7C6c1mTHncKVj1hkLPiCg"
+
+[web]
+listen_addr = ":8080"
+grpc_addr   = "mcr:9443"
+ca_cert     = "/srv/mcr/certs/ca.pem"
+
+[log]
+level = "info"