Separate web UI into standalone metacrypt-web binary

The vault server holds in-memory unsealed state (KEK, engine keys) that is lost on restart, requiring a full unseal ceremony. Previously the web UI ran inside the vault process, so any UI change forced a restart and re-unseal. This change extracts the web UI into a separate metacrypt-web binary that communicates with the vault over an authenticated gRPC connection. The web server carries no sealed state and can be restarted freely. - gen/metacrypt/v1/: generated Go bindings from proto/metacrypt/v1/ - internal/grpcserver/: full gRPC server implementation (System, Auth, Engine, PKI, Policy, ACME services) with seal/auth/admin interceptors - internal/webserver/: web server with gRPC vault client; templates embedded via web/embed.go (no runtime web/ directory needed) - cmd/metacrypt-web/: standalone binary entry point - internal/config: added [web] section (listen_addr, vault_grpc, etc.) - internal/server/routes.go: removed all web UI routes and handlers - cmd/metacrypt/server.go: starts gRPC server alongside HTTP server - Deploy: Dockerfile builds both binaries, docker-compose adds metacrypt-web service, new metacrypt-web.service systemd unit, Makefile gains proto/metacrypt-web targets Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 09:07:12 -07:00
parent b8e348db03
commit cc1ac2e255
37 changed files with 5668 additions and 647 deletions
--- a/deploy/docker/docker-compose.yml
+++ b/deploy/docker/docker-compose.yml
@@ -7,12 +7,9 @@ services:
    restart: unless-stopped
    ports:
      - "8443:8443"
+      - "9443:9443"
    volumes:
      - metacrypt-data:/srv/metacrypt
-    # To populate /srv/metacrypt before first run, use an init container or
-    # bind-mount a host directory instead of a named volume:
-    #   volumes:
-    #     - ./data:/srv/metacrypt
    healthcheck:
      test: ["CMD", "metacrypt", "status", "--addr", "https://localhost:8443", "--ca-cert", "/srv/metacrypt/certs/ca.crt"]
      interval: 30s
@@ -20,5 +17,19 @@ services:
      retries: 3
      start_period: 10s

+  metacrypt-web:
+    build:
+      context: ../..
+      dockerfile: Dockerfile
+    container_name: metacrypt-web
+    command: ["/usr/local/bin/metacrypt-web", "--config", "/srv/metacrypt/metacrypt.toml"]
+    restart: unless-stopped
+    ports:
+      - "8080:8080"
+    volumes:
+      - metacrypt-data:/srv/metacrypt
+    depends_on:
+      - metacrypt
+
 volumes:
  metacrypt-data:
--- a/deploy/systemd/metacrypt-web.service
+++ b/deploy/systemd/metacrypt-web.service
@@ -0,0 +1,46 @@
+[Unit]
+Description=Metacrypt web UI server
+Documentation=https://git.wntrmute.dev/kyle/metacrypt
+After=network-online.target metacrypt.service
+Wants=network-online.target
+Requires=metacrypt.service
+
+[Service]
+Type=simple
+User=metacrypt
+Group=metacrypt
+
+ExecStart=/usr/local/bin/metacrypt-web --config /srv/metacrypt/metacrypt.toml
+ExecReload=/bin/kill -HUP $MAINPID
+
+Restart=on-failure
+RestartSec=5
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+
+# Allow read access to config and certs
+ReadOnlyPaths=/srv/metacrypt
+
+# Limit file descriptor count
+LimitNOFILE=65535
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=metacrypt-web
+
+[Install]
+WantedBy=multi-user.target