Server keys in etc/, bind in docker compose

- bin/gen-server-keys.sh: generate Ed25519 keypair to etc/server-service.{pub,key,env}
- main.go: read keys from file (ADMIN_PUBLIC_KEY_FILE) when env empty
- docker-compose: env_file etc/server-service.env, mount etc/
- bin/up.sh: auto-run gen-server-keys if etc/server-service.env missing
- ErrRegistrationNotConfigured for clearer 503 when keys not set
- etc/README.md, etc/.gitignore
- bin/gen-admin-key.sh for one-off key gen
- .env.example

Made-with: Cursor

README.md

@@ -33,17 +33,22 @@ Local default (for development): `http://localhost:8122`.
 Optional environment variables:
 
 - `ADDR` (default `:8122`)
-- `ADMIN_PUBLIC_KEY` (bootstrap initial inviter/admin user)
+- `ADMIN_PUBLIC_KEY` — **required for registration**: bootstrap admin + service key for `register-by-signature`. Generate with `./bin/gen-admin-key.sh`
 - `SERVICE_PUBLIC_KEY` (public key users sign to register; defaults to `ADMIN_PUBLIC_KEY`)
 
+**Deployment:** Set `ADMIN_PUBLIC_KEY` before starting. Without it, `/v1/service-key` returns 503 and registration is disabled.
+
 ## Docker Compose
 
-Build and run the backend service:
+Generate server keys (creates `etc/server-service.*`), then build and run:
 
 ```bash
+./bin/gen-server-keys.sh
 COMPOSE_BAKE=true docker compose up --build -d
 ```
 
+Or use `./bin/up.sh` which runs the key generation if needed.
+
 This starts:
 
 - `db` (`postgis/postgis`) on `5432`