Production-Ready Docker Deployment: Secrets Overlay and Auto-Provisioning

Getting a production-ready Docker deployment for your AI agent's wallet infrastructure requires more than just docker run — you need secure secret management and automated provisioning that won't expose sensitive credentials to your deployment pipeline or containers. Self-hosting your wallet infrastructure means total control over private keys, policies, and transaction approvals without depending on third-party services that could leak data or impose rate limits.

Why Docker Security Matters for Wallet Infrastructure

When you're managing private keys and handling real cryptocurrency transactions, your deployment security becomes critical. A misconfigured container could expose master passwords in environment variables, process lists, or container logs. Traditional Docker deployments often require hardcoded secrets in docker-compose files or shell scripts — exactly what attackers look for.

WAIaaS addresses this with Docker Secrets integration and auto-provisioning features designed specifically for self-hosted wallet infrastructure. You get enterprise-grade secret management without the complexity of full orchestration platforms like Kubernetes.

The Two-Layer Security Approach

WAIaaS implements a dual-security model for production deployments:

Layer 1: Auto-Provisioning for First Boot On initial startup, WAIaaS can generate cryptographically secure master passwords and save them to protected recovery files. This eliminates the chicken-and-egg problem of bootstrapping wallet infrastructure without manual intervention.

Layer 2: Docker Secrets Overlay For ongoing operations, sensitive credentials are injected through Docker's built-in secrets mechanism, keeping passwords out of environment variables and container filesystems.

Docker Secrets Integration

The production deployment uses a secrets overlay pattern. Here's your base docker-compose.yml:

services:
  daemon:
    image: ghcr.io/minhoyoo-iotrust/waiaas:latest
    container_name: waiaas-daemon
    ports:
      - "127.0.0.1:3100:3100"
    volumes:
      - waiaas-data:/data
    environment:
      - WAIAAS_DATA_DIR=/data
      - WAIAAS_DAEMON_HOSTNAME=0.0.0.0
    env_file:
      - path: .env
        required: false
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3100/health"]
      interval: 30s
      timeout: 5s
      start_period: 10s
      retries: 3

volumes:
  waiaas-data:
    driver: local

For production, you add the secrets overlay (docker-compose.secrets.yml):

# Create secret files with proper permissions
mkdir -p secrets
echo "your-secure-master-password" > secrets/master_password.txt
chmod 600 secrets/master_password.txt
chown root:root secrets/master_password.txt

# Deploy with secrets overlay
docker compose -f docker-compose.yml -f docker-compose.secrets.yml up -d

This approach keeps secrets out of your main compose file and git repository. The secrets overlay is loaded only in production environments and can be managed by your deployment automation without exposing credentials.

Auto-Provisioning for Zero-Touch Deployment

For fully automated deployments, WAIaaS supports auto-provisioning mode:

docker run -d \
  --name waiaas \
  -p 127.0.0.1:3100:3100 \
  -v waiaas-data:/data \
  -e WAIAAS_AUTO_PROVISION=true \
  ghcr.io/minhoyoo-iotrust/waiaas:latest

# Retrieve the generated master password
docker exec waiaas cat /data/recovery.key

The auto-provision feature generates a cryptographically secure master password using the same entropy sources as wallet key generation. The password is saved to /data/recovery.key inside the container and mounted volume, allowing you to retrieve it programmatically for further automation.

This is especially valuable for infrastructure-as-code deployments where you can't provide interactive password input. Your deployment script can start the container, retrieve the generated password, and securely store it in your secret management system.

Production Environment Configuration

Key environment variables for production deployments:

WAIAAS_AUTO_PROVISION=true              # Generate master password on first start
WAIAAS_DAEMON_PORT=3100                 # Internal listening port
WAIAAS_DAEMON_HOSTNAME=0.0.0.0         # Bind to all interfaces (inside container)
WAIAAS_DAEMON_LOG_LEVEL=info            # Avoid debug logs in production
WAIAAS_DATA_DIR=/data                   # Persistent data location
WAIAAS_RPC_SOLANA_MAINNET=<url>         # Your Solana RPC endpoint
WAIAAS_RPC_EVM_ETHEREUM_MAINNET=<url>   # Your Ethereum RPC endpoint

The Docker image runs as a non-root user (UID 1001) by default, following security best practices. The healthcheck endpoint at /health integrates with Docker's health monitoring and orchestration platforms.

Network Security and Port Binding

Notice the port binding in the default configuration: 127.0.0.1:3100:3100. This binds only to localhost, preventing external network access to your wallet infrastructure. For production deployments, you typically want this behind a reverse proxy with TLS termination and authentication.

If you need direct external access, you can modify the port binding, but ensure you have proper firewall rules and consider the security implications of exposing wallet infrastructure to the internet.

Persistent Data and Backup Strategy

WAIaaS stores all persistent data in /data inside the container, mapped to a named Docker volume. This includes:

• Wallet private keys (encrypted)
• Transaction history and logs
• Policy configurations
• Session tokens and authentication state

For production backup strategies, you can mount a host directory instead of a named volume:

volumes:
  - /opt/waiaas-data:/data

This allows your existing backup systems to access the data directory directly. The CLI includes backup commands for consistent snapshots:

# Create backup inside container
docker exec waiaas-daemon waiaas backup create --name "daily-backup"

# List available backups
docker exec waiaas-daemon waiaas backup list

# Export backup to host
docker cp waiaas-daemon:/data/backups/daily-backup.tar.gz ./

Health Monitoring and Watchtower Integration

The Docker image includes a built-in healthcheck that verifies the API endpoint responds correctly. This integrates with Docker's health monitoring and orchestration platforms like Docker Swarm or Portainer.

For automatic updates, WAIaaS works with Watchtower out of the box:

services:
  watchtower:
    image: containrrr/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command: --interval 30 waiaas-daemon

Watchtower will automatically pull new WAIaaS releases and restart the container while preserving your data volume and configuration.

Container Security Hardening

The WAIaaS Docker image follows container security best practices:

• Non-root execution: Runs as UID 1001 to prevent privilege escalation
• Minimal attack surface: Based on lightweight base images with only required dependencies
• Read-only filesystem: Application files are immutable after container start
• No package managers: Runtime container doesn't include npm, apt, or other package managers
• Explicit healthchecks: Container health is verifiable by orchestration platforms

For additional hardening, you can run with read-only root filesystem:

docker run -d \
  --name waiaas \
  --read-only \
  --tmpfs /tmp \
  --tmpfs /var/log \
  -p 127.0.0.1:3100:3100 \
  -v waiaas-data:/data \
  ghcr.io/minhoyoo-iotrust/waiaas:latest

Integration with Reverse Proxies

For production deployments, you typically want WAIaaS behind a reverse proxy for TLS termination and additional security. Here's an example nginx configuration:

upstream waiaas {
    server 127.0.0.1:3100;
}

server {
    listen 443 ssl http2;
    server_name wallet.yourdomain.com;
    
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    
    location / {
        proxy_pass http://waiaas;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

This provides TLS encryption and can integrate with authentication systems or IP allow-lists for additional access control.

Quick Start: Production Deployment

Here's how to get a production-ready WAIaaS deployment running:

1. Clone and configure:

   git clone https://github.com/minhoyoo-iotrust/WAIaaS.git
   cd WAIaaS
   

2. Set up secrets directory:

   mkdir -p secrets
   openssl rand -base64 32 > secrets/master_password.txt
   chmod 600 secrets/master_password.txt
   

3. Deploy with secrets overlay:

   docker compose -f docker-compose.yml -f docker-compose.secrets.yml up -d
   

4. Verify deployment:

   curl http://127.0.0.1:3100/health
   docker compose logs -f
   

5. Access admin interface:

   open http://127.0.0.1:3100/admin
   

The admin interface provides a web UI for wallet management, policy configuration, and monitoring — all running entirely on your infrastructure without external dependencies.

What's Next

With your production WAIaaS deployment running, you can start integrating AI agents through the MCP protocol or REST API. Check out the OpenAPI documentation at http://127.0.0.1:3100/reference for interactive API exploration, and consider setting up monitoring and alerting for your wallet infrastructure.

Ready to deploy your own wallet infrastructure? Get started with the code at GitHub or explore more deployment options at waiaas.ai.