Add deployment artifacts and rift config (Phase 13)
Dockerfiles for API server and web UI (multi-stage, alpine:3.21, non-root mcr user). systemd units with security hardening. Idempotent install script. Rift-specific config with MCIAS service token, TLS paths, and Docker compose with loopback port bindings for mc-proxy fronting (28443/29443/28080). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
31
deploy/systemd/mcr-web.service
Normal file
31
deploy/systemd/mcr-web.service
Normal file
@@ -0,0 +1,31 @@
|
||||
[Unit]
|
||||
Description=MCR Container Registry Web UI
|
||||
After=mcr.service
|
||||
Wants=mcr.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=mcr
|
||||
Group=mcr
|
||||
ExecStart=/usr/local/bin/mcr-web --config /srv/mcr/mcr.toml
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
|
||||
# Security hardening
|
||||
NoNewPrivileges=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
RestrictSUIDSGID=true
|
||||
RestrictNamespaces=true
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
RestrictRealtime=true
|
||||
ReadOnlyPaths=/srv/mcr
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user