To run the docker compose setup, copy the .env.example to .env in the root folder. Modify the values if required.
The containers are built via the tasks in each nx app like:
nx run holder-app:containerTo build multiple project at once, you can use the run many command:
nx run-many --target=container --allBy default the containers are built with the latest tag and will not be pushed to the registry. When pushed to the main branch of the repo, the github action will push the latest version to the registry.
The configuration of the pwa client is mounted from the config/holder-frontend/config.js file, this allows to change the endpoints to the different services without the need to recompile the app.
right now running it locally via docker can cause some problems since localhost is used to interact with some services. The web application want a JWT with the audience of http://localhost:8080, the keycloak instance. But the backendends that are running in docker communicate with the keycloak instance via http://keycloak:8080. This problem can be solved by
- using a public available keycloak instance
- running the backend services locally as a node application and not inside docker
To secure your keys, you are able to use vault by hashicorp, otherwise the keys are either stored in the filesystem for the issuer and verifier or in the unencrypted database for the wallet.
You are able to run vault via docker with the following command:
docker compose up -d vaultThis will spin up a vault instance in dev mode and will not persist the keys after a restart. In the .env in the root folder, you can set a token you need for authentication.
Configure the environment variables in the .env to tell the service to use vault:
KM_TYPE=vault
VAULT_URL=http://localhost:8200/v1/transit
VAULT_TOKEN=rootThe server does not support multiple key management systems in parallel and also no import or export feature. So decide at the beginning which type of key management you want to use.
TODO: we also need key management for the accounts to support multiple keys, because right now we use the user-id for the key reference, so each user is only able to store one key. We need a mapping table for the keys and the user-id.
The key management for the issuer and verifier can also be managed via keycloak. Right now a unique key id has to be generated by yourself and passed in the .env file. The services will generate a key pair and store it in the vault instance. For know multi key support for one instance is not supported, so the issuer/verifier has to use one key each (but both could technically use the same key).
### Production use
Update the docker container like this:
```yaml
vault:
image: 'hashicorp/vault:1.16'
restart: unless-stopped
healthcheck:
test: ['CMD', 'vault', 'status']
interval: 30s
timeout: 10s
retries: 3
start_period: 2m
volumes:
- vault-storage:/vault/file:rw
- ./config/vault:/vault/config:rw
ports:
- '8200:8200'
environment:
VAULT_ADDR: http://127.0.0.1:8200
entrypoint: vault server -config=/vault/config/config.hclGet familiar with the vault deployment guide. This current documentation is not fully covered to run vault in production!