Deploy sgardd to rift and add persistent remote config.

Deployment: Dockerfile + docker-compose for sgardd on rift behind mc-proxy (L4 SNI passthrough on :9443, multiplexed with metacrypt gRPC). TLS via Metacrypt-issued cert, SSH-key auth. CLI: `sgard remote set/show` saves addr, TLS, and CA path to <repo>/remote.yaml so push/pull work without flags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 21:23:21 -07:00
parent d2161fdadc
commit 4ec71eae00
6 changed files with 194 additions and 19 deletions
--- a/deploy/docker/Dockerfile
+++ b/deploy/docker/Dockerfile
@@ -0,0 +1,30 @@
+# Build stage
+FROM golang:1.25-alpine AS builder
+
+WORKDIR /build
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+ARG VERSION=dev
+RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /sgardd ./cmd/sgardd
+
+# Runtime stage
+FROM alpine:3.21
+
+RUN apk add --no-cache ca-certificates tzdata \
+    && adduser -D -h /srv/sgard sgard
+
+COPY --from=builder /sgardd /usr/local/bin/sgardd
+
+VOLUME /srv/sgard
+EXPOSE 9473
+
+USER sgard
+
+ENTRYPOINT ["sgardd", \
+    "--repo", "/srv/sgard", \
+    "--authorized-keys", "/srv/sgard/authorized_keys", \
+    "--tls-cert", "/srv/sgard/certs/sgard.pem", \
+    "--tls-key", "/srv/sgard/certs/sgard.key"]
--- a/deploy/docker/docker-compose-rift.yml
+++ b/deploy/docker/docker-compose-rift.yml
@@ -0,0 +1,16 @@
+services:
+  sgardd:
+    image: localhost/sgardd:latest
+    container_name: sgardd
+    restart: unless-stopped
+    user: "0:0"
+    ports:
+      - "127.0.0.1:19473:9473"
+    volumes:
+      - /srv/sgard:/srv/sgard
+    healthcheck:
+      test: ["CMD", "true"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s