Kyle Isom
7255bba890
Dockerfiles for API server and web UI (multi-stage, alpine:3.21, non-root mcr user). systemd units with security hardening. Idempotent install script. Rift-specific config with MCIAS service token, TLS paths, and Docker compose with loopback port bindings for mc-proxy fronting (28443/29443/28080). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
32 lines
593 B
Desktop File
32 lines
593 B
Desktop File
[Unit]
|
|
Description=MCR Container Registry Web UI
|
|
After=mcr.service
|
|
Wants=mcr.service
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=mcr
|
|
Group=mcr
|
|
ExecStart=/usr/local/bin/mcr-web --config /srv/mcr/mcr.toml
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
|
|
# Security hardening
|
|
NoNewPrivileges=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
RestrictSUIDSGID=true
|
|
RestrictNamespaces=true
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
RestrictRealtime=true
|
|
ReadOnlyPaths=/srv/mcr
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|