132 lines
6.9 KiB
Plaintext
132 lines
6.9 KiB
Plaintext
# =============================================================================
|
|
# MPC System - Production Environment Configuration
|
|
# =============================================================================
|
|
#
|
|
# Deployment: Server B (192.168.1.111)
|
|
# Role: Threshold Signature Scheme (TSS) backend for 2-of-3 MPC wallet operations
|
|
#
|
|
# Architecture:
|
|
# ┌─────────────────────────────────────────────────────────────────────────┐
|
|
# │ MPC System Components (Go services on Server B) │
|
|
# ├─────────────────────────────────────────────────────────────────────────┤
|
|
# │ account-service :4000 - User account & session management │
|
|
# │ session-coordinator :8081 - TSS protocol coordination │
|
|
# │ message-router :8082 - WebSocket for P2P TSS messages │
|
|
# │ server-party-api :8083 - Server-side party operations │
|
|
# │ server-party-1 :8091 - TSS party instance 1 │
|
|
# │ server-party-2 :8092 - TSS party instance 2 │
|
|
# ├─────────────────────────────────────────────────────────────────────────┤
|
|
# │ Infrastructure │
|
|
# │ postgres :5432 - MPC database │
|
|
# │ redis :6379 - Session cache │
|
|
# │ rabbitmq :5672 - Internal message queue │
|
|
# └─────────────────────────────────────────────────────────────────────────┘
|
|
#
|
|
# Network Flow:
|
|
# mpc-service (NestJS) → account-service → session-coordinator → parties
|
|
# ↓
|
|
# Mobile App → message-router (WebSocket) → client party
|
|
#
|
|
# Setup Instructions:
|
|
# 1. Copy this file: cp .env.example .env
|
|
# 2. Update ALL values according to your production environment
|
|
# 3. Generate secure random keys for secrets (see instructions below)
|
|
# 4. Start services: ./deploy.sh up
|
|
#
|
|
# IMPORTANT: This file contains examples only!
|
|
# In production, you MUST:
|
|
# - Change ALL passwords and keys to secure random values
|
|
# - Update ALLOWED_IPS to match your actual backend server IP
|
|
# - Keep the .env file secure and NEVER commit it to version control
|
|
# =============================================================================
|
|
|
|
# =============================================================================
|
|
# Environment Identifier
|
|
# =============================================================================
|
|
# Options: development, staging, production
|
|
ENVIRONMENT=production
|
|
|
|
# =============================================================================
|
|
# Network Configuration
|
|
# =============================================================================
|
|
# Server B internal IP (where MPC system runs)
|
|
MPC_SERVER_IP=192.168.1.111
|
|
|
|
# Server A internal IP (Kong gateway, for ALLOWED_IPS if needed)
|
|
GATEWAY_SERVER_IP=192.168.1.100
|
|
|
|
# =============================================================================
|
|
# PostgreSQL Database Configuration
|
|
# =============================================================================
|
|
# Database user (can keep default or customize)
|
|
POSTGRES_USER=mpc_user
|
|
|
|
# Database password
|
|
# SECURITY: Generate a strong password in production!
|
|
# Example command: openssl rand -base64 32
|
|
POSTGRES_PASSWORD=change_this_to_secure_postgres_password
|
|
|
|
# =============================================================================
|
|
# Redis Cache Configuration
|
|
# =============================================================================
|
|
# Redis password (leave empty if Redis is only accessible within Docker network)
|
|
# For production, consider setting a password for defense in depth
|
|
# Example command: openssl rand -base64 24
|
|
REDIS_PASSWORD=
|
|
|
|
# =============================================================================
|
|
# RabbitMQ Message Broker Configuration
|
|
# =============================================================================
|
|
# RabbitMQ user (can keep default or customize)
|
|
RABBITMQ_USER=mpc_user
|
|
|
|
# RabbitMQ password
|
|
# SECURITY: Generate a strong password in production!
|
|
# Example command: openssl rand -base64 32
|
|
RABBITMQ_PASSWORD=change_this_to_secure_rabbitmq_password
|
|
|
|
# =============================================================================
|
|
# JWT Configuration
|
|
# =============================================================================
|
|
# JWT signing secret key (minimum 32 characters)
|
|
# SECURITY: Generate a strong random key in production!
|
|
# Example command: openssl rand -base64 48
|
|
# IMPORTANT: This MUST match MPC_JWT_SECRET in mpc-service configuration!
|
|
JWT_SECRET_KEY=change_this_jwt_secret_key_to_random_value_min_32_chars
|
|
|
|
# =============================================================================
|
|
# Cryptography Configuration
|
|
# =============================================================================
|
|
# Master encryption key for encrypting stored key shares
|
|
# MUST be exactly 64 hexadecimal characters (256-bit key)
|
|
# SECURITY: Generate a secure random key in production!
|
|
# Example command: openssl rand -hex 32
|
|
# WARNING: If you lose this key, encrypted shares cannot be recovered!
|
|
CRYPTO_MASTER_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
|
|
|
|
# =============================================================================
|
|
# API Security Configuration
|
|
# =============================================================================
|
|
# API authentication key for server-to-server communication
|
|
# This key must match the MPC_API_KEY in your backend mpc-service configuration
|
|
# SECURITY: Generate a strong random key and keep it synchronized!
|
|
# Example command: openssl rand -base64 48
|
|
MPC_API_KEY=change_this_api_key_to_match_your_mpc_service_config
|
|
|
|
# Allowed IP addresses (comma-separated list)
|
|
# Only these IPs can access the MPC system APIs
|
|
# IMPORTANT: In production, restrict this to your actual backend server IP(s)!
|
|
#
|
|
# Recommended configuration for your environment:
|
|
# - 192.168.1.111: Server B (mpc-service running here)
|
|
# - 192.168.1.100: Server A (if Kong needs direct access)
|
|
# - 127.0.0.1: Local Docker network
|
|
#
|
|
# Examples:
|
|
# Single IP: ALLOWED_IPS=192.168.1.111
|
|
# Multiple IPs: ALLOWED_IPS=192.168.1.111,192.168.1.100,127.0.0.1
|
|
# Allow all: ALLOWED_IPS= (empty, relies on API_KEY auth only - NOT RECOMMENDED)
|
|
#
|
|
# For your deployment (mpc-service on same server as mpc-system):
|
|
ALLOWED_IPS=192.168.1.111,127.0.0.1
|