Add deployment artifacts and rift config (Phase 13)

Dockerfiles for API server and web UI (multi-stage, alpine:3.21, non-root mcr user). systemd units with security hardening. Idempotent install script. Rift-specific config with MCIAS service token, TLS paths, and Docker compose with loopback port bindings for mc-proxy fronting (28443/29443/28080). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 22:03:36 -07:00
parent 75c8b110da
commit 7255bba890
10 changed files with 334 additions and 3 deletions
--- a/deploy/systemd/mcr-backup.service
+++ b/deploy/systemd/mcr-backup.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=MCR Database Backup
+
+[Service]
+Type=oneshot
+User=mcr
+Group=mcr
+ExecStart=/usr/local/bin/mcrsrv snapshot --config /srv/mcr/mcr.toml
+ExecStartPost=/usr/bin/find /srv/mcr/backups -name 'mcr-*.db' -mtime +30 -delete
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+ReadWritePaths=/srv/mcr