[Docs] Document how to deploy identity service

Summary: Document how to deploy identity service, so that if another member needs to address the deployment, they don't need to reverse engineer the actions. https://linear.app/comm/issue/ENG-4420 Depends on D8580 Test Plan: N/A. documentation Reviewers: varun, ashoat Reviewed By: varun Subscribers: tomek Differential Revision: https://phab.comm.dev/D8581
CommE2E · Jul 27, 2023 · a28e329 · a28e329
1 parent d589005
commit a28e329
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/docs/nix_dev_env.md b/docs/nix_dev_env.md
@@ -136,6 +136,7 @@ Run `nix develop` to create a dev environment. Nix will handle the installation
 ## Production workflows
 
 - [Services deployment](./nix_services_deployment.md)
+  - [Identity service](./nix_services_deployment.md#identity-service)
   - [Tunnelbroker](./nix_services_deployment.md#tunnelbroker)
 
 ## Using alternate shells with Nix

diff --git a/docs/nix_services_deployment.md b/docs/nix_services_deployment.md
@@ -1,5 +1,39 @@
 # Services Deployment
 
+## Identity Service
+
+Deploying the Identity service requires generating OPAQUE secrets, building the Docker image, and deploying the container.
+
+### Building the Docker image
+
+The Docker image can be built with the following command:
+
+```bash
+docker build -f services/identity -t commapp/identity-server:<tag> .
+```
+
+### Generating OPAQUE secrets
+
+OPAQUE is an implementation of a PAKE (Passwor-Authenticated Key Exchange) protocol. This allows for authentication of a user without requiring the password credentials to be stored on the server. To generate the server credentials:
+
+```
+docker run -v comm-identity-secrets:/home/comm/app/identity/secrets identity keygen
+```
+
+**NOTE:** This OPAQUE keypair is used to encrypt the password credentials of all users. The contents of this file should be persisted in a safe manner beyond a Docker volume.
+
+### Running the Identity service
+
+To run the service:
+
+```
+docker run -d \
+  -e KEYSERVER_PUBLIC_KEY=<public key> \
+  -p 50054:50054 \
+  -v comm-identity-secrets:/home/comm/app/identity/secrets \
+  commapp/identity-server:<tag>
+```
+
 ## Tunnelbroker
 
 Deploying Tunnelbroker consists of building its Docker image and deploying that image as a Docker container.