feat(mpc-system): 优化 Docker 部署配置适配生产环境
部署位置: 192.168.1.100 (Nginx + MPC 服务器) 主要修改: - 对外仅暴露端口 4000 (account-service) - 移除基础设施服务的外部端口暴露 - 默认使用 production 环境 - 添加 MPC_API_KEY 和 ALLOWED_IPS 安全配置 - 新增 .env.example 生产环境配置模板 - 移除 Consul 服务发现 (简化部署) - 优化 Redis 内存配置 架构说明: - account-service:4000 为对外 API 入口 - 后端服务器 (192.168.1.111) 的 mpc-service 通过此端口调用 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Developer
parent
01e192ea17
commit
c63be04322
|
|
@ -0,0 +1,52 @@
|
|||
# MPC-System 环境变量配置
|
||||
# 部署位置: 192.168.1.100 (Nginx + MPC 服务器)
|
||||
#
|
||||
# 使用方法:
|
||||
# 1. 复制此文件: cp .env.example .env
|
||||
# 2. 修改为实际生产环境的值
|
||||
# 3. 启动: docker compose up -d
|
||||
|
||||
# ============================================
|
||||
# 环境标识
|
||||
# ============================================
|
||||
ENVIRONMENT=production
|
||||
|
||||
# ============================================
|
||||
# PostgreSQL 数据库
|
||||
# ============================================
|
||||
POSTGRES_USER=mpc_user
|
||||
POSTGRES_PASSWORD=your_secure_postgres_password_here
|
||||
|
||||
# ============================================
|
||||
# Redis 缓存
|
||||
# ============================================
|
||||
# 留空表示不需要密码 (内部网络)
|
||||
REDIS_PASSWORD=
|
||||
|
||||
# ============================================
|
||||
# RabbitMQ 消息队列
|
||||
# ============================================
|
||||
RABBITMQ_USER=mpc_user
|
||||
RABBITMQ_PASSWORD=your_secure_rabbitmq_password_here
|
||||
|
||||
# ============================================
|
||||
# JWT 配置
|
||||
# ============================================
|
||||
# JWT 签名密钥 (至少 32 字符)
|
||||
JWT_SECRET_KEY=your_super_secure_jwt_secret_key_at_least_32_characters
|
||||
|
||||
# ============================================
|
||||
# 加密配置
|
||||
# ============================================
|
||||
# 主加密密钥 (64 位十六进制字符 = 256 位密钥)
|
||||
# 用于加密存储的密钥分片
|
||||
CRYPTO_MASTER_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
|
||||
|
||||
# ============================================
|
||||
# API 安全配置
|
||||
# ============================================
|
||||
# API 认证密钥 (与后端服务器的 mpc-service 配置一致)
|
||||
MPC_API_KEY=your_very_secure_api_key_at_least_32_characters
|
||||
|
||||
# 允许访问的 IP 地址 (后端服务器)
|
||||
ALLOWED_IPS=192.168.1.111
|
||||
|
|
@ -1,4 +1,12 @@
|
|||
version: '3.8'
|
||||
# MPC-System Docker Compose Configuration
|
||||
# 部署位置: 192.168.1.100 (Nginx + MPC 服务器)
|
||||
# 用途: TSS 密钥生成、签名服务
|
||||
#
|
||||
# 启动命令:
|
||||
# 生产环境: docker compose --env-file .env.production up -d
|
||||
# 开发环境: docker compose up -d
|
||||
#
|
||||
# 对外端口: 4000 (Account Service HTTP) - 供 mpc-service (192.168.1.111:3001) 调用
|
||||
|
||||
services:
|
||||
# ============================================
|
||||
|
|
@ -11,31 +19,31 @@ services:
|
|||
container_name: mpc-postgres
|
||||
environment:
|
||||
POSTGRES_DB: mpc_system
|
||||
POSTGRES_USER: mpc_user
|
||||
POSTGRES_USER: ${POSTGRES_USER:-mpc_user}
|
||||
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
|
||||
ports:
|
||||
- "5432:5432"
|
||||
volumes:
|
||||
- postgres-data:/var/lib/postgresql/data
|
||||
- ./migrations:/docker-entrypoint-initdb.d:ro
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U mpc_user -d mpc_system"]
|
||||
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mpc_user} -d mpc_system"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 5
|
||||
start_period: 30s
|
||||
networks:
|
||||
- mpc-network
|
||||
restart: unless-stopped
|
||||
# 生产环境不暴露端口到主机,仅内部网络可访问
|
||||
# ports:
|
||||
# - "5432:5432"
|
||||
|
||||
# Redis Cache
|
||||
redis:
|
||||
image: redis:7-alpine
|
||||
container_name: mpc-redis
|
||||
ports:
|
||||
- "6379:6379"
|
||||
command: redis-server --appendonly yes --maxmemory 512mb --maxmemory-policy allkeys-lru ${REDIS_PASSWORD:+--requirepass $REDIS_PASSWORD}
|
||||
volumes:
|
||||
- redis-data:/data
|
||||
command: redis-server --appendonly yes --maxmemory 256mb --maxmemory-policy allkeys-lru
|
||||
healthcheck:
|
||||
test: ["CMD", "redis-cli", "ping"]
|
||||
interval: 10s
|
||||
|
|
@ -43,16 +51,14 @@ services:
|
|||
retries: 5
|
||||
networks:
|
||||
- mpc-network
|
||||
restart: unless-stopped
|
||||
|
||||
# RabbitMQ Message Broker
|
||||
rabbitmq:
|
||||
image: rabbitmq:3-management-alpine
|
||||
container_name: mpc-rabbitmq
|
||||
ports:
|
||||
- "5672:5672"
|
||||
- "15672:15672"
|
||||
environment:
|
||||
RABBITMQ_DEFAULT_USER: mpc_user
|
||||
RABBITMQ_DEFAULT_USER: ${RABBITMQ_USER:-mpc_user}
|
||||
RABBITMQ_DEFAULT_PASS: ${RABBITMQ_PASSWORD:-mpc_rabbit_password}
|
||||
RABBITMQ_DEFAULT_VHOST: /
|
||||
volumes:
|
||||
|
|
@ -65,57 +71,39 @@ services:
|
|||
start_period: 30s
|
||||
networks:
|
||||
- mpc-network
|
||||
|
||||
# Consul Service Discovery
|
||||
consul:
|
||||
image: consul:1.16
|
||||
container_name: mpc-consul
|
||||
ports:
|
||||
- "8500:8500"
|
||||
- "8600:8600/udp"
|
||||
command: agent -server -ui -bootstrap-expect=1 -client=0.0.0.0
|
||||
volumes:
|
||||
- consul-data:/consul/data
|
||||
healthcheck:
|
||||
test: ["CMD", "consul", "members"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 5
|
||||
networks:
|
||||
- mpc-network
|
||||
restart: unless-stopped
|
||||
# 生产环境管理界面仅开发时使用
|
||||
# ports:
|
||||
# - "15672:15672"
|
||||
|
||||
# ============================================
|
||||
# MPC Services
|
||||
# MPC Core Services
|
||||
# ============================================
|
||||
|
||||
# Session Coordinator Service
|
||||
# Session Coordinator Service - 会话协调器
|
||||
session-coordinator:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: services/session-coordinator/Dockerfile
|
||||
container_name: mpc-session-coordinator
|
||||
ports:
|
||||
- "50051:50051" # gRPC
|
||||
- "8080:8080" # HTTP
|
||||
environment:
|
||||
MPC_SERVER_GRPC_PORT: 50051
|
||||
MPC_SERVER_HTTP_PORT: 8080
|
||||
MPC_SERVER_ENVIRONMENT: development
|
||||
MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
|
||||
MPC_DATABASE_HOST: postgres
|
||||
MPC_DATABASE_PORT: 5432
|
||||
MPC_DATABASE_USER: mpc_user
|
||||
MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
|
||||
MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
|
||||
MPC_DATABASE_DBNAME: mpc_system
|
||||
MPC_DATABASE_SSLMODE: disable
|
||||
MPC_REDIS_HOST: redis
|
||||
MPC_REDIS_PORT: 6379
|
||||
MPC_REDIS_PASSWORD: ${REDIS_PASSWORD:-}
|
||||
MPC_RABBITMQ_HOST: rabbitmq
|
||||
MPC_RABBITMQ_PORT: 5672
|
||||
MPC_RABBITMQ_USER: mpc_user
|
||||
MPC_RABBITMQ_USER: ${RABBITMQ_USER:-mpc_user}
|
||||
MPC_RABBITMQ_PASSWORD: ${RABBITMQ_PASSWORD:-mpc_rabbit_password}
|
||||
MPC_CONSUL_HOST: consul
|
||||
MPC_CONSUL_PORT: 8500
|
||||
MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY:-super_secret_jwt_key_change_in_production}
|
||||
MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY}
|
||||
MPC_JWT_ISSUER: mpc-system
|
||||
depends_on:
|
||||
postgres:
|
||||
|
|
@ -134,28 +122,25 @@ services:
|
|||
- mpc-network
|
||||
restart: unless-stopped
|
||||
|
||||
# Message Router Service
|
||||
# Message Router Service - 消息路由
|
||||
message-router:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: services/message-router/Dockerfile
|
||||
container_name: mpc-message-router
|
||||
ports:
|
||||
- "50052:50051" # gRPC
|
||||
- "8081:8080" # HTTP
|
||||
environment:
|
||||
MPC_SERVER_GRPC_PORT: 50051
|
||||
MPC_SERVER_HTTP_PORT: 8080
|
||||
MPC_SERVER_ENVIRONMENT: development
|
||||
MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
|
||||
MPC_DATABASE_HOST: postgres
|
||||
MPC_DATABASE_PORT: 5432
|
||||
MPC_DATABASE_USER: mpc_user
|
||||
MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
|
||||
MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
|
||||
MPC_DATABASE_DBNAME: mpc_system
|
||||
MPC_DATABASE_SSLMODE: disable
|
||||
MPC_RABBITMQ_HOST: rabbitmq
|
||||
MPC_RABBITMQ_PORT: 5672
|
||||
MPC_RABBITMQ_USER: mpc_user
|
||||
MPC_RABBITMQ_USER: ${RABBITMQ_USER:-mpc_user}
|
||||
MPC_RABBITMQ_PASSWORD: ${RABBITMQ_PASSWORD:-mpc_rabbit_password}
|
||||
depends_on:
|
||||
postgres:
|
||||
|
|
@ -172,28 +157,30 @@ services:
|
|||
- mpc-network
|
||||
restart: unless-stopped
|
||||
|
||||
# Server Party Service - Party 1
|
||||
# ============================================
|
||||
# Server Party Services - TSS 参与方
|
||||
# 2-of-3 阈值签名: 至少 2 个 party 参与才能完成签名
|
||||
# ============================================
|
||||
|
||||
# Server Party 1
|
||||
server-party-1:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: services/server-party/Dockerfile
|
||||
container_name: mpc-server-party-1
|
||||
ports:
|
||||
- "50053:50051" # gRPC
|
||||
- "8082:8080" # HTTP
|
||||
environment:
|
||||
MPC_SERVER_GRPC_PORT: 50051
|
||||
MPC_SERVER_HTTP_PORT: 8080
|
||||
MPC_SERVER_ENVIRONMENT: development
|
||||
MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
|
||||
MPC_DATABASE_HOST: postgres
|
||||
MPC_DATABASE_PORT: 5432
|
||||
MPC_DATABASE_USER: mpc_user
|
||||
MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
|
||||
MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
|
||||
MPC_DATABASE_DBNAME: mpc_system
|
||||
MPC_DATABASE_SSLMODE: disable
|
||||
SESSION_COORDINATOR_ADDR: session-coordinator:50051
|
||||
MESSAGE_ROUTER_ADDR: message-router:50051
|
||||
MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY:-0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef}
|
||||
MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY}
|
||||
PARTY_ID: server-party-1
|
||||
depends_on:
|
||||
postgres:
|
||||
|
|
@ -212,28 +199,25 @@ services:
|
|||
- mpc-network
|
||||
restart: unless-stopped
|
||||
|
||||
# Server Party Service - Party 2
|
||||
# Server Party 2
|
||||
server-party-2:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: services/server-party/Dockerfile
|
||||
container_name: mpc-server-party-2
|
||||
ports:
|
||||
- "50055:50051" # gRPC
|
||||
- "8084:8080" # HTTP
|
||||
environment:
|
||||
MPC_SERVER_GRPC_PORT: 50051
|
||||
MPC_SERVER_HTTP_PORT: 8080
|
||||
MPC_SERVER_ENVIRONMENT: development
|
||||
MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
|
||||
MPC_DATABASE_HOST: postgres
|
||||
MPC_DATABASE_PORT: 5432
|
||||
MPC_DATABASE_USER: mpc_user
|
||||
MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
|
||||
MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
|
||||
MPC_DATABASE_DBNAME: mpc_system
|
||||
MPC_DATABASE_SSLMODE: disable
|
||||
SESSION_COORDINATOR_ADDR: session-coordinator:50051
|
||||
MESSAGE_ROUTER_ADDR: message-router:50051
|
||||
MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY:-0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef}
|
||||
MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY}
|
||||
PARTY_ID: server-party-2
|
||||
depends_on:
|
||||
postgres:
|
||||
|
|
@ -252,28 +236,25 @@ services:
|
|||
- mpc-network
|
||||
restart: unless-stopped
|
||||
|
||||
# Server Party Service - Party 3
|
||||
# Server Party 3
|
||||
server-party-3:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: services/server-party/Dockerfile
|
||||
container_name: mpc-server-party-3
|
||||
ports:
|
||||
- "50056:50051" # gRPC
|
||||
- "8085:8080" # HTTP
|
||||
environment:
|
||||
MPC_SERVER_GRPC_PORT: 50051
|
||||
MPC_SERVER_HTTP_PORT: 8080
|
||||
MPC_SERVER_ENVIRONMENT: development
|
||||
MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
|
||||
MPC_DATABASE_HOST: postgres
|
||||
MPC_DATABASE_PORT: 5432
|
||||
MPC_DATABASE_USER: mpc_user
|
||||
MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
|
||||
MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
|
||||
MPC_DATABASE_DBNAME: mpc_system
|
||||
MPC_DATABASE_SSLMODE: disable
|
||||
SESSION_COORDINATOR_ADDR: session-coordinator:50051
|
||||
MESSAGE_ROUTER_ADDR: message-router:50051
|
||||
MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY:-0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef}
|
||||
MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY}
|
||||
PARTY_ID: server-party-3
|
||||
depends_on:
|
||||
postgres:
|
||||
|
|
@ -292,30 +273,42 @@ services:
|
|||
- mpc-network
|
||||
restart: unless-stopped
|
||||
|
||||
# Account Service
|
||||
# ============================================
|
||||
# Account Service - 对外 API 入口
|
||||
# 端口 4000: 供 mpc-service (192.168.1.111:3001) 调用
|
||||
# ============================================
|
||||
account-service:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: services/account/Dockerfile
|
||||
container_name: mpc-account-service
|
||||
ports:
|
||||
- "50054:50051" # gRPC
|
||||
- "8083:8080" # HTTP
|
||||
# 对外暴露端口 4000,供后端服务器 (192.168.1.111) 的 mpc-service 调用
|
||||
- "4000:8080"
|
||||
environment:
|
||||
MPC_SERVER_GRPC_PORT: 50051
|
||||
MPC_SERVER_HTTP_PORT: 8080
|
||||
MPC_SERVER_ENVIRONMENT: development
|
||||
MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
|
||||
MPC_DATABASE_HOST: postgres
|
||||
MPC_DATABASE_PORT: 5432
|
||||
MPC_DATABASE_USER: mpc_user
|
||||
MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
|
||||
MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
|
||||
MPC_DATABASE_DBNAME: mpc_system
|
||||
MPC_DATABASE_SSLMODE: disable
|
||||
MPC_REDIS_HOST: redis
|
||||
MPC_REDIS_PORT: 6379
|
||||
MPC_REDIS_PASSWORD: ${REDIS_PASSWORD:-}
|
||||
MPC_COORDINATOR_URL: session-coordinator:50051
|
||||
MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY:-super_secret_jwt_key_change_in_production}
|
||||
MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY}
|
||||
# API 认证密钥 (与 mpc-service 配置的 MPC_API_KEY 一致)
|
||||
MPC_API_KEY: ${MPC_API_KEY}
|
||||
# 允许的来源 IP (后端服务器)
|
||||
ALLOWED_IPS: ${ALLOWED_IPS:-192.168.1.111}
|
||||
depends_on:
|
||||
postgres:
|
||||
condition: service_healthy
|
||||
redis:
|
||||
condition: service_healthy
|
||||
session-coordinator:
|
||||
condition: service_healthy
|
||||
healthcheck:
|
||||
|
|
@ -336,10 +329,12 @@ networks:
|
|||
driver: bridge
|
||||
|
||||
# ============================================
|
||||
# Volumes
|
||||
# Volumes - 持久化存储
|
||||
# ============================================
|
||||
volumes:
|
||||
postgres-data:
|
||||
driver: local
|
||||
redis-data:
|
||||
driver: local
|
||||
rabbitmq-data:
|
||||
consul-data:
|
||||
driver: local
|
||||
|
|
|
|||
Loading…
Reference in New Issue