advanced-wallets/docker-compose.yml at master · BitGo/advanced-wallets · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
version: '3.8'

services:
  # Service for advanced-wallet-manager (AWM)
  advanced-wallet-manager:
    build: . # Build from the Dockerfile inside the repo
    container_name: advanced-wallet-manager
    networks:
      - my-internal-network # Only part of the internal network
    environment:
      # Application mode (required)
      - APP_MODE=advanced-wallet-manager

      # Network settings
      - ADVANCED_WALLET_MANAGER_PORT=3080
      - BIND=0.0.0.0
      - TIMEOUT=305000
      - KEEP_ALIVE_TIMEOUT=65000
      - HEADERS_TIMEOUT=66000

      # TLS settings
      - TLS_MODE=disabled
      - CLIENT_CERT_ALLOW_SELF_SIGNED=true

      # KMS settings (required)
      - KMS_URL=http://172.20.0.1:3000 # UPDATE TO YOUR OWN KMS URL
      - KMS_SERVER_CERT_ALLOW_SELF_SIGNED=true

      # Optional KMS TLS settings (uncomment if using mTLS with KMS)
      # - KMS_SERVER_CA_CERT_PATH=/path/to/kms-ca-cert.pem
      # - KMS_CLIENT_TLS_KEY_PATH=/path/to/kms-client-key.pem
      # - KMS_CLIENT_TLS_CERT_PATH=/path/to/kms-client-cert.pem
      # - KMS_CLIENT_TLS_KEY=<key-content>
      # - KMS_CLIENT_TLS_CERT=<cert-content>

      # Optional server TLS settings (uncomment if using mTLS)
      # - SERVER_TLS_KEY_PATH=/path/to/server-key.pem
      # - SERVER_TLS_CERT_PATH=/path/to/server-cert.pem
      # - SERVER_TLS_KEY=<key-content>
      # - SERVER_TLS_CERT=<cert-content>
      # - MTLS_ALLOWED_CLIENT_FINGERPRINTS=ABC123,DEF456

      # Logging and debug
      - HTTP_LOGFILE=logs/http-access.log
      - RECOVERY_MODE=true
      - NODE_ENV=production
      - LOG_LEVEL=info
    restart: always
    ports: [] # No public ports exposed
    volumes:
      - ./logs:/app/logs # Mount logs directory

  # Service for master-bitgo-express (MBE) - both internal and publicly accessible
  master-bitgo-express:
    build: . # Build from the Dockerfile inside the repo
    container_name: master-bitgo-express
    networks:
      - my-internal-network # Connect to the internal network for internal communication
      - my-public-network # Connect to the public network for external access
    environment:
      # Application mode (required)
      - APP_MODE=master-express

      # Network settings
      - MASTER_EXPRESS_PORT=3081
      - BIND=0.0.0.0
      - TIMEOUT=305000
      - KEEP_ALIVE_TIMEOUT=65000
      - HEADERS_TIMEOUT=66000

      # BitGo API settings
      - BITGO_ENV=test
      - BITGO_DISABLE_ENV_CHECK=true
      - BITGO_AUTH_VERSION=2
      # - BITGO_CUSTOM_ROOT_URI=https://custom-bitgo-api.com
      # - BITGO_CUSTOM_BITCOIN_NETWORK=testnet

      # Advanced Wallet Manager connection (required)
      - ADVANCED_WALLET_MANAGER_URL=http://advanced-wallet-manager:3080
      - AWM_SERVER_CERT_ALLOW_SELF_SIGNED=true

      # Optional AWM TLS settings (uncomment if using mTLS with AWM)
      # - AWM_SERVER_CA_CERT_PATH=/path/to/awm-ca-cert.pem
      # - AWM_CLIENT_TLS_KEY_PATH=/path/to/awm-client-key.pem
      # - AWM_CLIENT_TLS_CERT_PATH=/path/to/awm-client-cert.pem
      # - AWM_CLIENT_TLS_KEY=<key-content>
      # - AWM_CLIENT_TLS_CERT=<cert-content>

      # TLS settings
      - TLS_MODE=disabled
      - CLIENT_CERT_ALLOW_SELF_SIGNED=true

      # Optional server TLS settings (uncomment if using mTLS)
      # - SERVER_TLS_KEY_PATH=/path/to/server-key.pem
      # - SERVER_TLS_CERT_PATH=/path/to/server-cert.pem
      # - SERVER_TLS_KEY=<key-content>
      # - SERVER_TLS_CERT=<cert-content>
      # - MTLS_ALLOWED_CLIENT_FINGERPRINTS=ABC123,DEF456

      # Logging and debug
      - HTTP_LOGFILE=logs/http-access.log
      - RECOVERY_MODE=true
      - NODE_ENV=production
      - LOG_LEVEL=info
    restart: always
    ports:
      - '3081:3081' # Expose MBE publicly on port 3081
    volumes:
      - ./logs:/app/logs # Mount logs directory

# Networks section
networks:
  my-internal-network:
    driver: bridge # Internal communication network, no access to the internet
    internal: true # Ensures this network is not accessible from outside

  my-public-network:
    driver: bridge # Public network, allowing external access to MBE