Implement Phase 1: core framework, operational tooling, and runbook

Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper), db (SQLite/migrations), barrier (encrypted storage), seal (state machine with rate-limited unseal), auth (MCIAS integration with token cache), policy (priority-based ACL engine), engine (interface + registry). Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI (init, unseal, login, dashboard pages). CLI: cobra/viper subcommands (server, init, status, snapshot) with env var override support (METACRYPT_ prefix). Operational tooling: Dockerfile (multi-stage, non-root), docker-compose, hardened systemd units (service + daily backup timer), install script, backup script with retention pruning, production config examples. Runbook covering installation, configuration, daily operations, backup/restore, monitoring, troubleshooting, and security procedures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 20:43:11 -07:00
commit 4ddd32b117
60 changed files with 4644 additions and 0 deletions
--- a/deploy/scripts/install.sh
+++ b/deploy/scripts/install.sh
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+#
+# Install Metacrypt on a systemd-based Linux system.
+#
+# Usage: sudo ./install.sh /path/to/metacrypt
+#
+set -euo pipefail
+
+BINARY="${1:?Usage: $0 /path/to/metacrypt}"
+INSTALL_DIR="/usr/local/bin"
+CONFIG_DIR="/etc/metacrypt"
+DATA_DIR="/var/lib/metacrypt"
+BACKUP_DIR="${DATA_DIR}/backups"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+DEPLOY_DIR="$(dirname "$SCRIPT_DIR")"
+
+echo "==> Creating metacrypt user and group"
+if ! getent group metacrypt >/dev/null 2>&1; then
+    groupadd --system metacrypt
+fi
+if ! getent passwd metacrypt >/dev/null 2>&1; then
+    useradd --system --gid metacrypt --home-dir "$DATA_DIR" --shell /usr/sbin/nologin metacrypt
+fi
+
+echo "==> Installing binary"
+install -m 0755 "$BINARY" "$INSTALL_DIR/metacrypt"
+
+echo "==> Creating directories"
+install -d -m 0750 -o metacrypt -g metacrypt "$CONFIG_DIR"
+install -d -m 0750 -o metacrypt -g metacrypt "$CONFIG_DIR/certs"
+install -d -m 0700 -o metacrypt -g metacrypt "$DATA_DIR"
+install -d -m 0700 -o metacrypt -g metacrypt "$BACKUP_DIR"
+
+echo "==> Installing configuration"
+if [ ! -f "$CONFIG_DIR/metacrypt.toml" ]; then
+    install -m 0640 -o metacrypt -g metacrypt "$DEPLOY_DIR/examples/metacrypt.toml" "$CONFIG_DIR/metacrypt.toml"
+    echo "    Installed default config to $CONFIG_DIR/metacrypt.toml"
+    echo "    >>> Edit this file before starting the service <<<"
+else
+    echo "    Config already exists at $CONFIG_DIR/metacrypt.toml — skipping"
+fi
+
+echo "==> Installing systemd units"
+install -m 0644 "$DEPLOY_DIR/systemd/metacrypt.service" /etc/systemd/system/
+install -m 0644 "$DEPLOY_DIR/systemd/metacrypt-backup.service" /etc/systemd/system/
+install -m 0644 "$DEPLOY_DIR/systemd/metacrypt-backup.timer" /etc/systemd/system/
+systemctl daemon-reload
+
+echo "==> Done"
+echo ""
+echo "Next steps:"
+echo "  1. Place TLS cert and key in $CONFIG_DIR/certs/"
+echo "  2. Edit $CONFIG_DIR/metacrypt.toml"
+echo "  3. Initialize:  metacrypt init --config $CONFIG_DIR/metacrypt.toml"
+echo "  4. Start:       systemctl enable --now metacrypt"
+echo "  5. Backups:     systemctl enable --now metacrypt-backup.timer"