mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Separate web UI into standalone metacrypt-web binary

Browse Source 
The vault server holds in-memory unsealed state (KEK, engine keys) that
is lost on restart, requiring a full unseal ceremony. Previously the web
UI ran inside the vault process, so any UI change forced a restart and
re-unseal.

This change extracts the web UI into a separate metacrypt-web binary
that communicates with the vault over an authenticated gRPC connection.
The web server carries no sealed state and can be restarted freely.

- gen/metacrypt/v1/: generated Go bindings from proto/metacrypt/v1/
- internal/grpcserver/: full gRPC server implementation (System, Auth,
  Engine, PKI, Policy, ACME services) with seal/auth/admin interceptors
- internal/webserver/: web server with gRPC vault client; templates
  embedded via web/embed.go (no runtime web/ directory needed)
- cmd/metacrypt-web/: standalone binary entry point
- internal/config: added [web] section (listen_addr, vault_grpc, etc.)
- internal/server/routes.go: removed all web UI routes and handlers
- cmd/metacrypt/server.go: starts gRPC server alongside HTTP server
- Deploy: Dockerfile builds both binaries, docker-compose adds
  metacrypt-web service, new metacrypt-web.service systemd unit,
  Makefile gains proto/metacrypt-web targets

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-15 09:07:12 -07:00
parent b8e348db03
commit cc1ac2e255
37 changed files with 5668 additions and 647 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
internal/config/config.go
View File

@@ -11,6 +11,7 @@ import (
// Config is the top-level configuration for Metacrypt.
type Config struct {
Server ServerConfig `toml:"server"`
Web WebConfig `toml:"web"`
Database DatabaseConfig `toml:"database"`
MCIAS MCIASConfig `toml:"mcias"`
Seal SealConfig `toml:"seal"`
@@ -26,6 +27,20 @@ type ServerConfig struct {
ExternalURL string `toml:"external_url"` // public base URL for ACME directory, e.g. "https://metacrypt.example.com"
}
// WebConfig holds settings for the standalone web UI server (metacrypt-web).
type WebConfig struct {
// ListenAddr is the address the web server listens on (default: 127.0.0.1:8080).
ListenAddr string `toml:"listen_addr"`
// VaultGRPC is the gRPC address of the vault server (e.g. "127.0.0.1:9443").
VaultGRPC string `toml:"vault_grpc"`
// VaultCACert is the path to the CA certificate used to verify the vault's TLS cert.
VaultCACert string `toml:"vault_ca_cert"`
// TLSCert and TLSKey are optional. If empty, the web server uses plain HTTP
// (suitable for deployment behind a TLS-terminating reverse proxy).
TLSCert string `toml:"tls_cert"`
TLSKey string `toml:"tls_key"`
}
// DatabaseConfig holds SQLite database settings.
type DatabaseConfig struct {
Path string `toml:"path"`
@@ -98,5 +113,10 @@ func (c *Config) Validate() error {
c.Log.Level = "info"
}
// Apply defaults for web server.
if c.Web.ListenAddr == "" {
c.Web.ListenAddr = "127.0.0.1:8080"
}
return nil
}