Server keys in etc/, bind in docker compose

- bin/gen-server-keys.sh: generate Ed25519 keypair to etc/server-service.{pub,key,env} - main.go: read keys from file (ADMIN_PUBLIC_KEY_FILE) when env empty - docker-compose: env_file etc/server-service.env, mount etc/ - bin/up.sh: auto-run gen-server-keys if etc/server-service.env missing - ErrRegistrationNotConfigured for clearer 503 when keys not set - etc/README.md, etc/.gitignore - bin/gen-admin-key.sh for one-off key gen - .env.example Made-with: Cursor
2026-03-01 13:02:40 +00:00
parent a5a97a0ad9
commit 18328706bd
14 changed files with 129 additions and 16 deletions
@@ -0,0 +1,22 @@
+#!/bin/bash
+# Generate server-service Ed25519 keypair. Output in etc/ for docker compose.
+# Clients download the public key via GET /v1/service-key.
+set -e
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+mkdir -p "$ROOT/etc"
+(cd "$ROOT/libs/geo-api-client" && bun run build 2>/dev/null) || true
+cd "$ROOT/libs/geo-api-client"
+OUT=$(bun -e "
+import { generateKeyPair } from './dist/index.js';
+const k = await generateKeyPair();
+console.log(k.publicKey);
+console.log(k.privateKey);
+")
+PUB=$(echo "$OUT" | head -1)
+PRIV=$(echo "$OUT" | tail -1)
+echo "$PUB" > "$ROOT/etc/server-service.pub"
+echo "$PRIV" > "$ROOT/etc/server-service.key"
+echo "ADMIN_PUBLIC_KEY=$PUB" > "$ROOT/etc/server-service.env"
+echo "SERVICE_PUBLIC_KEY=$PUB" >> "$ROOT/etc/server-service.env"
+chmod 600 "$ROOT/etc/server-service.key" "$ROOT/etc/server-service.env" 2>/dev/null || true
+echo "Wrote etc/server-service.pub, etc/server-service.key, etc/server-service.env"