Require signing_key at startup, add default config

- Add config validation: signing_key required, minimum 32 characters
- Server now fails to start without valid signing_key (no more runtime errors)
- Add config.example.yml with default whitelist hosts
- Copy config to /etc/pixa/config.yml in Docker image
- Update entrypoint to use --config /etc/pixa/config.yml
- Add config.dev.yml for local Docker development
- Mount dev config in make devserver

Dockerfile

@@ -35,14 +35,17 @@ RUN apk add --no-cache \
 # Copy binary from builder
 COPY --from=builder /pixad /usr/local/bin/pixad
 
-# Create non-root user and data directory
+# Create non-root user, config directory, and data directory
 RUN adduser -D -H -s /sbin/nologin pixad && \
-    mkdir -p /var/lib/pixa && \
+    mkdir -p /var/lib/pixa /etc/pixa && \
     chown pixad:pixad /var/lib/pixa
 
+# Copy default config (edit signing_key before use)
+COPY config.example.yml /etc/pixa/config.yml
+
 USER pixad
 WORKDIR /var/lib/pixa
 
 EXPOSE 8080
 
-ENTRYPOINT ["/usr/local/bin/pixad"]
+ENTRYPOINT ["/usr/local/bin/pixad", "--config", "/etc/pixa/config.yml"]

Makefile

@@ -49,7 +49,9 @@ docker-test:
 
 # Run local dev server in Docker
 devserver: docker devserver-stop
-	docker run -d --name pixad-dev -p 8080:8080 pixad:latest
+	docker run -d --name pixad-dev -p 8080:8080 \
+		-v $(CURDIR)/config.dev.yml:/etc/pixa/config.yml:ro \
+		pixad:latest
 	@echo "pixad running at http://localhost:8080"
 
 # Stop dev server

config.dev.yml

@@ -0,0 +1,7 @@
+# Development config for local Docker testing
+signing_key: "dev-signing-key-minimum-32-chars!"
+debug: true
+allow_http: true
+whitelist_hosts:
+  - localhost
+  - s3.sneak.cloud

config.example.yml

@@ -0,0 +1,13 @@
+# Pixa configuration
+#
+# REQUIRED: Set signing_key before starting the server.
+# Generate with: openssl rand -base64 32
+
+signing_key: "CHANGE_ME_generate_with_openssl_rand_base64_32"
+
+whitelist_hosts:
+  - s3.sneak.cloud
+  - static.sneak.cloud
+  - sneak.berlin
+  - github.com
+  - user-images.githubusercontent.com

internal/config/config.go

@@ -84,9 +84,29 @@ func New(_ fx.Lifecycle, params Params) (*Config, error) {
 		params.Logger.EnableDebugLogging()
 	}
 
+	// Validate required configuration
+	if err := c.validate(); err != nil {
+		return nil, err
+	}
+
 	return c, nil
 }
 
+// validate checks that all required configuration values are set.
+func (c *Config) validate() error {
+	if c.SigningKey == "" {
+		return fmt.Errorf("signing_key is required")
+	}
+
+	// Minimum key length for security (32 bytes = 256 bits)
+	const minKeyLength = 32
+	if len(c.SigningKey) < minKeyLength {
+		return fmt.Errorf("signing_key must be at least %d characters", minKeyLength)
+	}
+
+	return nil
+}
+
 // loadConfigFile loads configuration from PIXA_CONFIG_PATH env var or standard locations.
 func loadConfigFile(log *slog.Logger, appName string) (*smartconfig.Config, error) {
 	// Check for explicit config path from environment