rwadurian/backend/mpc-system/docker-compose.prod.yml

# =============================================================================
# MPC-System Production Deployment - Central Services
# =============================================================================
# Purpose: Deploy central infrastructure (Message Router, Session Coordinator, Account)
# Server Parties are deployed separately on different machines/locations
#
# Usage:
#   ./deploy.sh prod up        # Start central services
#   ./deploy.sh prod down      # Stop central services
#
# External Ports (must be accessible from server-parties):
#   50051 - Message Router gRPC (for party connections)
#   50052 - Session Coordinator gRPC (for party connections)
#   4000  - Account Service HTTP API (for backend integration)
#   8081  - Session Coordinator HTTP API (for backend integration)
#   8082  - Message Router HTTP API (health checks)
#
# Architecture:
#   Server Parties (NAT-friendly) --> Message Router (Public) --> Session Coordinator
#                                                              --> PostgreSQL (Internal)
# =============================================================================

services:
  # ============================================
  # Infrastructure Services (Internal Only)
  # ============================================

  postgres:
    image: postgres:15-alpine
    container_name: mpc-postgres
    environment:
      TZ: Asia/Shanghai
      POSTGRES_DB: mpc_system
      POSTGRES_USER: ${POSTGRES_USER:-mpc_user}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in .env}
    volumes:
      - postgres-data:/var/lib/postgresql/data
      - ./migrations:/docker-entrypoint-initdb.d:ro
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mpc_user} -d mpc_system"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    networks:
      - mpc-internal
    restart: unless-stopped

  # ============================================
  # Message Router - Public gRPC Endpoint
  # Server Parties connect here from anywhere
  # ============================================
  message-router:
    build:
      context: .
      dockerfile: services/message-router/Dockerfile
    container_name: mpc-message-router
    ports:
      - "${MESSAGE_ROUTER_GRPC_PORT:-50051}:50051"  # gRPC for party connections (PUBLIC)
      - "${MESSAGE_ROUTER_HTTP_PORT:-8082}:8080"    # HTTP for health checks
    environment:
      TZ: Asia/Shanghai
      MPC_SERVER_GRPC_PORT: 50051
      MPC_SERVER_HTTP_PORT: 8080
      MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
      MPC_DATABASE_HOST: postgres
      MPC_DATABASE_PORT: 5432
      MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
      MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set}
      MPC_DATABASE_DBNAME: mpc_system
      MPC_DATABASE_SSLMODE: disable
    depends_on:
      postgres:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "curl", "-sf", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    networks:
      - mpc-internal
    restart: unless-stopped

  # ============================================
  # Session Coordinator - Public gRPC Endpoint
  # ============================================
  session-coordinator:
    build:
      context: .
      dockerfile: services/session-coordinator/Dockerfile
    container_name: mpc-session-coordinator
    ports:
      - "${SESSION_COORDINATOR_GRPC_PORT:-50052}:50051"  # gRPC for party connections (PUBLIC)
      - "${SESSION_COORDINATOR_HTTP_PORT:-8081}:8080"    # HTTP API
    environment:
      TZ: Asia/Shanghai
      MPC_SERVER_GRPC_PORT: 50051
      MPC_SERVER_HTTP_PORT: 8080
      MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
      MPC_DATABASE_HOST: postgres
      MPC_DATABASE_PORT: 5432
      MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
      MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set}
      MPC_DATABASE_DBNAME: mpc_system
      MPC_DATABASE_SSLMODE: disable
      MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY}
      MPC_JWT_ISSUER: mpc-system
      MESSAGE_ROUTER_ADDR: message-router:50051
    depends_on:
      postgres:
        condition: service_healthy
      message-router:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "curl", "-sf", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    networks:
      - mpc-internal
    restart: unless-stopped

  # ============================================
  # Account Service - External API Entry Point
  # ============================================
  account-service:
    build:
      context: .
      dockerfile: services/account/Dockerfile
    container_name: mpc-account-service
    ports:
      - "${ACCOUNT_SERVICE_PORT:-4000}:8080"  # HTTP API for external access
    environment:
      TZ: Asia/Shanghai
      MPC_SERVER_GRPC_PORT: 50051
      MPC_SERVER_HTTP_PORT: 8080
      MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
      MPC_DATABASE_HOST: postgres
      MPC_DATABASE_PORT: 5432
      MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
      MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set}
      MPC_DATABASE_DBNAME: mpc_system
      MPC_DATABASE_SSLMODE: disable
      MPC_COORDINATOR_URL: session-coordinator:50051
      MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY}
      MPC_API_KEY: ${MPC_API_KEY}
      ALLOWED_IPS: ${ALLOWED_IPS:-}
    depends_on:
      postgres:
        condition: service_healthy
      session-coordinator:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "curl", "-sf", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    networks:
      - mpc-internal
    restart: unless-stopped

  # ============================================
  # Server Party API - User Share Generation
  # (Optional: only needed if generating user shares)
  # ============================================
  server-party-api:
    build:
      context: .
      dockerfile: services/server-party-api/Dockerfile
    container_name: mpc-server-party-api
    ports:
      - "${SERVER_PARTY_API_PORT:-8083}:8080"
    environment:
      TZ: Asia/Shanghai
      MPC_SERVER_HTTP_PORT: 8080
      MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
      SESSION_COORDINATOR_ADDR: session-coordinator:50051
      MESSAGE_ROUTER_ADDR: message-router:50051
      MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY}
      MPC_API_KEY: ${MPC_API_KEY}
    depends_on:
      session-coordinator:
        condition: service_healthy
      message-router:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "curl", "-sf", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    networks:
      - mpc-internal
    restart: unless-stopped

# ============================================
# Networks
# ============================================
networks:
  mpc-internal:
    driver: bridge

# ============================================
# Volumes
# ============================================
volumes:
  postgres-data:
    driver: local