Server keys in etc/, bind in docker compose

- bin/gen-server-keys.sh: generate Ed25519 keypair to etc/server-service.{pub,key,env}
- main.go: read keys from file (ADMIN_PUBLIC_KEY_FILE) when env empty
- docker-compose: env_file etc/server-service.env, mount etc/
- bin/up.sh: auto-run gen-server-keys if etc/server-service.env missing
- ErrRegistrationNotConfigured for clearer 503 when keys not set
- etc/README.md, etc/.gitignore
- bin/gen-admin-key.sh for one-off key gen
- .env.example

Made-with: Cursor

internal/app/service.go

@@ -12,15 +12,16 @@ import (
 )
 
 var (
-	ErrUnauthorized   = errors.New("unauthorized")
-	ErrForbidden      = errors.New("forbidden")
-	ErrBadRequest     = errors.New("bad request")
-	ErrInviteInvalid  = errors.New("invite invalid")
-	ErrInviteExpired  = errors.New("invite expired")
-	ErrInviteExhaust  = errors.New("invite exhausted")
-	ErrAlreadyUser    = errors.New("user already registered")
-	ErrCollectionMiss = errors.New("collection missing")
-	ErrFeatureMiss    = errors.New("feature missing")
+	ErrUnauthorized              = errors.New("unauthorized")
+	ErrForbidden                 = errors.New("forbidden")
+	ErrBadRequest                = errors.New("bad request")
+	ErrRegistrationNotConfigured = errors.New("registration by signature not configured; set ADMIN_PUBLIC_KEY")
+	ErrInviteInvalid             = errors.New("invite invalid")
+	ErrInviteExpired             = errors.New("invite expired")
+	ErrInviteExhaust             = errors.New("invite exhausted")
+	ErrAlreadyUser               = errors.New("user already registered")
+	ErrCollectionMiss            = errors.New("collection missing")
+	ErrFeatureMiss               = errors.New("feature missing")
 )
 
 type Config struct {
@@ -62,7 +63,7 @@ func (s *Service) ServicePublicKey() string {
 
 func (s *Service) RegisterBySignature(publicKey, signature string) error {
 	if s.servicePublicKey == "" {
-		return fmt.Errorf("%w: registration by signature not configured", ErrBadRequest)
+		return ErrRegistrationNotConfigured
 	}
 	if publicKey == "" {
 		return fmt.Errorf("%w: missing public key", ErrBadRequest)

internal/http/handlers.go

@@ -88,6 +88,8 @@ func statusFromErr(err error) int {
 		return http.StatusBadRequest
 	case errors.Is(err, app.ErrAlreadyUser):
 		return http.StatusConflict
+	case errors.Is(err, app.ErrRegistrationNotConfigured):
+		return http.StatusServiceUnavailable
 	case errors.Is(err, app.ErrInviteInvalid),
 		errors.Is(err, app.ErrInviteExpired),
 		errors.Is(err, app.ErrInviteExhaust):
@@ -165,7 +167,7 @@ func (a *API) login(w http.ResponseWriter, r *http.Request) {
 func (a *API) getServiceKey(w http.ResponseWriter, _ *http.Request) {
 	pk := a.service.ServicePublicKey()
 	if pk == "" {
-		writeErr(w, app.ErrBadRequest)
+		writeErr(w, app.ErrRegistrationNotConfigured)
 		return
 	}
 	writeJSON(w, http.StatusOK, map[string]string{"publicKey": pk})