Server keys in etc/, bind in docker compose

- bin/gen-server-keys.sh: generate Ed25519 keypair to etc/server-service.{pub,key,env}
- main.go: read keys from file (ADMIN_PUBLIC_KEY_FILE) when env empty
- docker-compose: env_file etc/server-service.env, mount etc/
- bin/up.sh: auto-run gen-server-keys if etc/server-service.env missing
- ErrRegistrationNotConfigured for clearer 503 when keys not set
- etc/README.md, etc/.gitignore
- bin/gen-admin-key.sh for one-off key gen
- .env.example

Made-with: Cursor

bin/gen-admin-key.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# Generate Ed25519 keypair for ADMIN_PUBLIC_KEY (one-off, prints to stdout).
+# For etc/ + docker compose, use ./bin/gen-server-keys.sh instead.
+set -e
+cd "$(dirname "$0")/.."
+(cd libs/geo-api-client && bun run build 2>/dev/null) || true
+cd libs/geo-api-client
+bun -e "
+import { generateKeyPair } from './dist/index.js';
+const k = await generateKeyPair();
+console.log('ADMIN_PUBLIC_KEY=' + k.publicKey);
+console.log('# Private key (keep secret, bootstrap only): ' + k.privateKey);
+"