Server keys in etc/, bind in docker compose

- bin/gen-server-keys.sh: generate Ed25519 keypair to etc/server-service.{pub,key,env}
- main.go: read keys from file (ADMIN_PUBLIC_KEY_FILE) when env empty
- docker-compose: env_file etc/server-service.env, mount etc/
- bin/up.sh: auto-run gen-server-keys if etc/server-service.env missing
- ErrRegistrationNotConfigured for clearer 503 when keys not set
- etc/README.md, etc/.gitignore
- bin/gen-admin-key.sh for one-off key gen
- .env.example

Made-with: Cursor

internal/http/handlers.go

@@ -88,6 +88,8 @@ func statusFromErr(err error) int {
 		return http.StatusBadRequest
 	case errors.Is(err, app.ErrAlreadyUser):
 		return http.StatusConflict
+	case errors.Is(err, app.ErrRegistrationNotConfigured):
+		return http.StatusServiceUnavailable
 	case errors.Is(err, app.ErrInviteInvalid),
 		errors.Is(err, app.ErrInviteExpired),
 		errors.Is(err, app.ErrInviteExhaust):
@@ -165,7 +167,7 @@ func (a *API) login(w http.ResponseWriter, r *http.Request) {
 func (a *API) getServiceKey(w http.ResponseWriter, _ *http.Request) {
 	pk := a.service.ServicePublicKey()
 	if pk == "" {
-		writeErr(w, app.ErrBadRequest)
+		writeErr(w, app.ErrRegistrationNotConfigured)
 		return
 	}
 	writeJSON(w, http.StatusOK, map[string]string{"publicKey": pk})