Require signing_key at startup, add default config

- Add config validation: signing_key required, minimum 32 characters - Server now fails to start without valid signing_key (no more runtime errors) - Add config.example.yml with default whitelist hosts - Copy config to /etc/pixa/config.yml in Docker image - Update entrypoint to use --config /etc/pixa/config.yml - Add config.dev.yml for local Docker development - Mount dev config in make devserver
2026-01-08 15:48:37 -08:00
parent d2e2e319be
commit 02dedd433b
5 changed files with 49 additions and 4 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -84,9 +84,29 @@ func New(_ fx.Lifecycle, params Params) (*Config, error) {
 		params.Logger.EnableDebugLogging()
 	}

+	// Validate required configuration
+	if err := c.validate(); err != nil {
+		return nil, err
+	}
+
 	return c, nil
 }

+// validate checks that all required configuration values are set.
+func (c *Config) validate() error {
+	if c.SigningKey == "" {
+		return fmt.Errorf("signing_key is required")
+	}
+
+	// Minimum key length for security (32 bytes = 256 bits)
+	const minKeyLength = 32
+	if len(c.SigningKey) < minKeyLength {
+		return fmt.Errorf("signing_key must be at least %d characters", minKeyLength)
+	}
+
+	return nil
+}
+
 // loadConfigFile loads configuration from PIXA_CONFIG_PATH env var or standard locations.
 func loadConfigFile(log *slog.Logger, appName string) (*smartconfig.Config, error) {
 	// Check for explicit config path from environment