# ============================================================================= # MPC System - Production Environment Configuration # ============================================================================= # # Deployment: Server B (192.168.1.111) # Role: Threshold Signature Scheme (TSS) backend for 2-of-3 MPC wallet operations # # Architecture: # ┌─────────────────────────────────────────────────────────────────────────┐ # │ MPC System Components (Go services on Server B) │ # ├─────────────────────────────────────────────────────────────────────────┤ # │ account-service :4000 - User account & session management │ # │ session-coordinator :8081 - TSS protocol coordination │ # │ message-router :8082 - WebSocket for P2P TSS messages │ # │ server-party-api :8083 - Server-side party operations │ # │ server-party-1 :8091 - TSS party instance 1 │ # │ server-party-2 :8092 - TSS party instance 2 │ # ├─────────────────────────────────────────────────────────────────────────┤ # │ Infrastructure │ # │ postgres :5432 - MPC database │ # │ redis :6379 - Session cache │ # │ rabbitmq :5672 - Internal message queue │ # └─────────────────────────────────────────────────────────────────────────┘ # # Network Flow: # mpc-service (NestJS) → account-service → session-coordinator → parties # ↓ # Mobile App → message-router (WebSocket) → client party # # Setup Instructions: # 1. Copy this file: cp .env.example .env # 2. Update ALL values according to your production environment # 3. Generate secure random keys for secrets (see instructions below) # 4. Start services: ./deploy.sh up # # IMPORTANT: This file contains examples only! # In production, you MUST: # - Change ALL passwords and keys to secure random values # - Update ALLOWED_IPS to match your actual backend server IP # - Keep the .env file secure and NEVER commit it to version control # ============================================================================= # ============================================================================= # Environment Identifier # ============================================================================= # Options: development, staging, production ENVIRONMENT=production # ============================================================================= # Network Configuration # ============================================================================= # Server B internal IP (where MPC system runs) MPC_SERVER_IP=192.168.1.111 # Server A internal IP (Kong gateway, for ALLOWED_IPS if needed) GATEWAY_SERVER_IP=192.168.1.100 # ============================================================================= # PostgreSQL Database Configuration # ============================================================================= # Database user (can keep default or customize) POSTGRES_USER=mpc_user # Database password # SECURITY: Generate a strong password in production! # Example command: openssl rand -base64 32 POSTGRES_PASSWORD=change_this_to_secure_postgres_password # ============================================================================= # Redis Cache Configuration # ============================================================================= # Redis password (leave empty if Redis is only accessible within Docker network) # For production, consider setting a password for defense in depth # Example command: openssl rand -base64 24 REDIS_PASSWORD= # ============================================================================= # RabbitMQ Message Broker Configuration # ============================================================================= # RabbitMQ user (can keep default or customize) RABBITMQ_USER=mpc_user # RabbitMQ password # SECURITY: Generate a strong password in production! # Example command: openssl rand -base64 32 RABBITMQ_PASSWORD=change_this_to_secure_rabbitmq_password # ============================================================================= # JWT Configuration # ============================================================================= # JWT signing secret key (minimum 32 characters) # SECURITY: Generate a strong random key in production! # Example command: openssl rand -base64 48 # IMPORTANT: This MUST match MPC_JWT_SECRET in mpc-service configuration! JWT_SECRET_KEY=change_this_jwt_secret_key_to_random_value_min_32_chars # ============================================================================= # Cryptography Configuration # ============================================================================= # Master encryption key for encrypting stored key shares # MUST be exactly 64 hexadecimal characters (256-bit key) # SECURITY: Generate a secure random key in production! # Example command: openssl rand -hex 32 # WARNING: If you lose this key, encrypted shares cannot be recovered! CRYPTO_MASTER_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef # ============================================================================= # API Security Configuration # ============================================================================= # API authentication key for server-to-server communication # This key must match the MPC_API_KEY in your backend mpc-service configuration # SECURITY: Generate a strong random key and keep it synchronized! # Example command: openssl rand -base64 48 MPC_API_KEY=change_this_api_key_to_match_your_mpc_service_config # Allowed IP addresses (comma-separated list) # Only these IPs can access the MPC system APIs # IMPORTANT: In production, restrict this to your actual backend server IP(s)! # # Recommended configuration for your environment: # - 192.168.1.111: Server B (mpc-service running here) # - 192.168.1.100: Server A (if Kong needs direct access) # - 127.0.0.1: Local Docker network # # Examples: # Single IP: ALLOWED_IPS=192.168.1.111 # Multiple IPs: ALLOWED_IPS=192.168.1.111,192.168.1.100,127.0.0.1 # Allow all: ALLOWED_IPS= (empty, relies on API_KEY auth only - NOT RECOMMENDED) # # For your deployment (mpc-service on same server as mpc-system): ALLOWED_IPS=192.168.1.111,127.0.0.1