Server keys in etc/, bind in docker compose

- bin/gen-server-keys.sh: generate Ed25519 keypair to etc/server-service.{pub,key,env} - main.go: read keys from file (ADMIN_PUBLIC_KEY_FILE) when env empty - docker-compose: env_file etc/server-service.env, mount etc/ - bin/up.sh: auto-run gen-server-keys if etc/server-service.env missing - ErrRegistrationNotConfigured for clearer 503 when keys not set - etc/README.md, etc/.gitignore - bin/gen-admin-key.sh for one-off key gen - .env.example Made-with: Cursor
2026-03-01 13:02:40 +00:00
parent a5a97a0ad9
commit 18328706bd
14 changed files with 129 additions and 16 deletions
@@ -12,15 +12,16 @@ import (
 )

 var (
-	ErrUnauthorized   = errors.New("unauthorized")
-	ErrForbidden      = errors.New("forbidden")
-	ErrBadRequest     = errors.New("bad request")
-	ErrInviteInvalid  = errors.New("invite invalid")
-	ErrInviteExpired  = errors.New("invite expired")
-	ErrInviteExhaust  = errors.New("invite exhausted")
-	ErrAlreadyUser    = errors.New("user already registered")
-	ErrCollectionMiss = errors.New("collection missing")
-	ErrFeatureMiss    = errors.New("feature missing")
+	ErrUnauthorized              = errors.New("unauthorized")
+	ErrForbidden                 = errors.New("forbidden")
+	ErrBadRequest                = errors.New("bad request")
+	ErrRegistrationNotConfigured = errors.New("registration by signature not configured; set ADMIN_PUBLIC_KEY")
+	ErrInviteInvalid             = errors.New("invite invalid")
+	ErrInviteExpired             = errors.New("invite expired")
+	ErrInviteExhaust             = errors.New("invite exhausted")
+	ErrAlreadyUser               = errors.New("user already registered")
+	ErrCollectionMiss            = errors.New("collection missing")
+	ErrFeatureMiss               = errors.New("feature missing")
 )

 type Config struct {
@@ -62,7 +63,7 @@ func (s *Service) ServicePublicKey() string {

 func (s *Service) RegisterBySignature(publicKey, signature string) error {
 	if s.servicePublicKey == "" {
-		return fmt.Errorf("%w: registration by signature not configured", ErrBadRequest)
+		return ErrRegistrationNotConfigured
 	}
 	if publicKey == "" {
 		return fmt.Errorf("%w: missing public key", ErrBadRequest)