130 lines
4.7 KiB
YAML
130 lines
4.7 KiB
YAML
# =============================================================================
|
|
# MPC-System Production Deployment - Standalone Server Party
|
|
# =============================================================================
|
|
# Purpose: Deploy a single server-party that connects to central Message Router
|
|
# This configuration is used for distributed deployment where parties run on
|
|
# different physical machines, possibly behind NAT.
|
|
#
|
|
# Usage:
|
|
# # On each party machine:
|
|
# PARTY_ID=server-party-1 ./deploy.sh party up
|
|
# PARTY_ID=server-party-2 ./deploy.sh party up
|
|
# PARTY_ID=server-party-3 ./deploy.sh party up
|
|
#
|
|
# Required Environment Variables:
|
|
# PARTY_ID - Unique party identifier (e.g., server-party-1)
|
|
# MESSAGE_ROUTER_ADDR - Public address of Message Router (e.g., grpc.mpc.example.com:50051)
|
|
# CRYPTO_MASTER_KEY - 64-character hex key for share encryption
|
|
#
|
|
# Architecture:
|
|
# This Party (NAT OK) --[outbound gRPC]--> Message Router (Public Internet)
|
|
#
|
|
# Note: Parties ONLY connect to Message Router. Session operations are
|
|
# proxied through Message Router to Session Coordinator internally.
|
|
#
|
|
# NAT Traversal:
|
|
# - Party initiates single outbound connection (no inbound ports needed)
|
|
# - gRPC keepalive maintains connection through NAT
|
|
# - Heartbeat every 30 seconds keeps connection alive
|
|
# =============================================================================
|
|
|
|
services:
|
|
# ============================================
|
|
# PostgreSQL for Party's Local Key Storage
|
|
# ============================================
|
|
postgres:
|
|
image: postgres:15-alpine
|
|
container_name: mpc-party-postgres-${PARTY_ID:-party}
|
|
environment:
|
|
TZ: Asia/Shanghai
|
|
POSTGRES_DB: mpc_party
|
|
POSTGRES_USER: ${POSTGRES_USER:-mpc_user}
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set}
|
|
volumes:
|
|
- party-postgres-data:/var/lib/postgresql/data
|
|
- ./migrations:/docker-entrypoint-initdb.d:ro
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mpc_user} -d mpc_party"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 30s
|
|
networks:
|
|
- party-network
|
|
restart: unless-stopped
|
|
|
|
# ============================================
|
|
# Server Party - Connects to Central Services
|
|
# ============================================
|
|
server-party:
|
|
build:
|
|
context: .
|
|
dockerfile: services/server-party/Dockerfile
|
|
container_name: mpc-${PARTY_ID:-server-party}
|
|
# No ports exposed - party connects outbound to Message Router
|
|
# HTTP port is optional for local health checks
|
|
ports:
|
|
- "${PARTY_HTTP_PORT:-8080}:8080" # Optional: local health check only
|
|
environment:
|
|
TZ: Asia/Shanghai
|
|
# Party Identity
|
|
PARTY_ID: ${PARTY_ID:?PARTY_ID must be set (e.g., server-party-1)}
|
|
PARTY_ROLE: ${PARTY_ROLE:-persistent}
|
|
|
|
# Server Configuration
|
|
MPC_SERVER_GRPC_PORT: 50051
|
|
MPC_SERVER_HTTP_PORT: 8080
|
|
MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
|
|
|
|
# Local Database for Key Storage
|
|
MPC_DATABASE_HOST: postgres
|
|
MPC_DATABASE_PORT: 5432
|
|
MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
|
|
MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set}
|
|
MPC_DATABASE_DBNAME: mpc_party
|
|
MPC_DATABASE_SSLMODE: disable
|
|
|
|
# Central Service (PUBLIC address - accessible from this party's location)
|
|
# Parties ONLY connect to Message Router (session ops proxied internally)
|
|
MESSAGE_ROUTER_ADDR: ${MESSAGE_ROUTER_ADDR:?MESSAGE_ROUTER_ADDR must be set (e.g., grpc.mpc.example.com:50051)}
|
|
|
|
# Encryption Key for Key Shares
|
|
MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY:?CRYPTO_MASTER_KEY must be set (64 hex characters)}
|
|
|
|
# Optional: Notification channels for offline mode
|
|
NOTIFICATION_EMAIL: ${NOTIFICATION_EMAIL:-}
|
|
NOTIFICATION_PHONE: ${NOTIFICATION_PHONE:-}
|
|
NOTIFICATION_PUSH_TOKEN: ${NOTIFICATION_PUSH_TOKEN:-}
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-sf", "http://localhost:8080/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 30s
|
|
networks:
|
|
- party-network
|
|
restart: unless-stopped
|
|
# Important: Allow container to resolve external DNS
|
|
dns:
|
|
- 8.8.8.8
|
|
- 8.8.4.4
|
|
|
|
# ============================================
|
|
# Networks
|
|
# ============================================
|
|
networks:
|
|
party-network:
|
|
driver: bridge
|
|
|
|
# ============================================
|
|
# Volumes - Party's Local Key Storage
|
|
# IMPORTANT: Back up this volume! It contains encrypted key shares.
|
|
# ============================================
|
|
volumes:
|
|
party-postgres-data:
|
|
driver: local
|
|
name: mpc-party-${PARTY_ID:-party}-postgres-data
|