Server keys in etc/, bind in docker compose

- bin/gen-server-keys.sh: generate Ed25519 keypair to etc/server-service.{pub,key,env}
- main.go: read keys from file (ADMIN_PUBLIC_KEY_FILE) when env empty
- docker-compose: env_file etc/server-service.env, mount etc/
- bin/up.sh: auto-run gen-server-keys if etc/server-service.env missing
- ErrRegistrationNotConfigured for clearer 503 when keys not set
- etc/README.md, etc/.gitignore
- bin/gen-admin-key.sh for one-off key gen
- .env.example

Made-with: Cursor

etc/README.md

@@ -0,0 +1,26 @@
+# Server Service Keys
+
+Server Ed25519 keypair for client authentication and registration.
+
+## Generate
+
+```bash
+./bin/gen-server-keys.sh
+```
+
+Creates:
+
+- `server-service.pub` — public key; clients download via `GET /v1/service-key`
+- `server-service.key` — private key (keep secret)
+- `server-service.env` — env vars for docker compose (`ADMIN_PUBLIC_KEY`, `SERVICE_PUBLIC_KEY`)
+
+## Client Usage
+
+Clients fetch the server public key and use it to:
+
+1. **Register** — sign the server pubkey, post to `POST /v1/auth/register-by-signature`
+2. **Verify server identity** — for future signed responses or request validation
+
+## Docker Compose
+
+The api service uses `env_file: etc/server-service.env` and mounts `./etc` so keys are available. Run `./bin/gen-server-keys.sh` before first `docker compose up`.