🔧 Configuration Guide
Comprehensive configuration for enterprise deployment
This guide covers all configuration options for deploying Reforms Messenger in enterprise environments, from basic setups to advanced multi-region deployments.
🚀 Quick Start Configuration
Basic Self-Hosted Setup
Minimum viable configuration for getting started:
# config/production.yaml
server:
host: "0.0.0.0"
port: 8443
ssl:
enabled: true
certPath: "/etc/ssl/certs/reforms.crt"
keyPath: "/etc/ssl/private/reforms.key"
signaling:
mode: "zero-knowledge"
retentionPolicy: "never"
crypto:
identityProvider: "self-sovereign"
encryptionLevel: "maximum"
logging:
level: "info"
destination: "stdout"
🌐 Environment Variables
Set these essential environment variables:
# Core Configuration
REFORMS_MODE=production
REFORMS_HOST=your-domain.com
REFORMS_PORT=8443
# Security
REFORMS_SSL_CERT=/path/to/cert.pem
REFORMS_SSL_KEY=/path/to/key.pem
REFORMS_ENCRYPTION_LEVEL=maximum
# Database (optional)
REFORMS_DB_URL=postgresql://user:pass@localhost:5432/reforms
# Monitoring
REFORMS_LOG_LEVEL=info
REFORMS_METRICS_ENABLED=true
🏢 Enterprise Configuration
🏥 Healthcare (HIPAA Compliance)
# config/healthcare.yaml
compliance:
standard: "HIPAA"
auditLogging: true
dataRetention: "never"
encryptionLevel: "FIPS-140-2"
server:
host: "0.0.0.0"
port: 8443
ssl:
enabled: true
protocols: ["TLSv1.3"]
ciphers: ["ECDHE-RSA-AES256-GCM-SHA384"]
signaling:
mode: "zero-knowledge"
metadataCollection: "minimal"
geoRestriction:
enabled: true
allowedRegions: ["US"]
security:
authentication:
multiFactorRequired: true
sessionTimeout: 3600 # 1 hour
audit:
enabled: true
destination: "file"
path: "/var/log/reforms/audit.log"
retention: "7-years"
networking:
firewall:
strictMode: true
allowedPorts: [443, 8443]
turn:
enabled: true
credentials: "time-limited"
servers:
- url: "turn:turn.your-domain.com:3478"
username: "reforms"
credential: "${TURN_SECRET}"
🏦 Financial Services (Multi-Jurisdiction)
# config/financial.yaml
compliance:
standards: ["GDPR", "SOX", "MiFID-II"]
auditLogging: true
dataClassification: "confidential"
server:
cluster:
enabled: true
nodes:
- region: "us-east-1"
endpoint: "https://us-east.reforms.example.com"
- region: "eu-west-1"
endpoint: "https://eu-west.reforms.example.com"
signaling:
mode: "zero-knowledge"
redundancy: "multi-region"
security:
dataLocalization:
enabled: true
rules:
- region: "EU"
countries: ["DE", "FR", "IT"]
servers: ["eu-west-1"]
- region: "US"
countries: ["US", "CA"]
servers: ["us-east-1"]
encryption:
level: "maximum"
keyRotation: "daily"
recording:
policy: "encrypted-local"
retention: "7-years"
destination: "/encrypted/recordings"
monitoring:
compliance:
enabled: true
standards: ["SOX-404"]
reporting: "automated"
🏛️ Government & Defense
# config/government.yaml
security:
clearanceLevel: "secret"
airGapped: true
compliance:
standards: ["FedRAMP", "FISMA"]
certification: "in-progress"
server:
deployment: "isolated"
networkAccess: "restricted"
signaling:
mode: "air-gapped"
external: false
crypto:
algorithm: "post-quantum-ready"
keyManagement: "hardware-security-module"
authentication:
method: "certificate-based"
pki:
rootCA: "/etc/pki/reforms/ca.crt"
clientCert: "required"
audit:
level: "maximum"
realtime: true
siem:
enabled: true
endpoint: "https://siem.agency.gov"
⚙️ Advanced Configuration Options
📊 Performance Tuning
# config/performance.yaml
performance:
connections:
maxConcurrent: 10000
keepAlive: 300
timeout: 30
media:
codecs: ["VP9", "H264", "Opus"]
adaptiveBitrate: true
hardwareAcceleration: true
memory:
heapSize: "2GB"
connectionPool: 1000
messageBuffer: 10000
cpu:
workers: "auto" # or specific number
cryptoWorkers: 4
networking:
bandwidth:
maxUpload: "10Mbps"
maxDownload: "50Mbps"
adaptive: true
topology:
meshLimit: 10
sfuThreshold: 50
ice:
gatheringTimeout: 5000
candidateTimeout: 30000
Multi-Platform Configuration
# config/platforms.yaml
platforms:
web:
pwa:
enabled: true
serviceWorker: true
offlineSupport: true
security:
contentSecurityPolicy: "strict"
featurePolicy: "camera 'self'; microphone 'self'"
mobile:
pushNotifications:
enabled: true
apns:
keyId: "${APNS_KEY_ID}"
teamId: "${APNS_TEAM_ID}"
bundleId: "com.reforms.messenger"
fcm:
serverKey: "${FCM_SERVER_KEY}"
background:
voipEnabled: true
backgroundSync: true
desktop:
autoUpdater:
enabled: true
updateServer: "https://updates.reforms.com"
integration:
osNotifications: true
protocolHandler: "reforms://"
AI & Productivity Features
# config/ai.yaml
ai:
privacy:
mode: "local-first"
consentRequired: true
dataRetention: "never"
features:
summarization:
enabled: true
model: "local"
maxLength: 500
translation:
enabled: true
languages: ["en", "es", "fr", "de", "zh"]
provider: "local"
smartReply:
enabled: true
suggestions: 3
contextWindow: 10
models:
local:
summarization: "/models/summarization.onnx"
translation: "/models/translation.onnx"
fallback:
provider: "anthropic" # or "openai"
apiKey: "${AI_API_KEY}"
dataPolicy: "sanitized"
🔒 Security Configuration
Certificate Management
# config/certificates.yaml
ssl:
certificates:
primary:
cert: "/etc/ssl/certs/reforms.crt"
key: "/etc/ssl/private/reforms.key"
chain: "/etc/ssl/certs/chain.crt"
backup:
cert: "/etc/ssl/certs/reforms-backup.crt"
key: "/etc/ssl/private/reforms-backup.key"
letsencrypt:
enabled: true
email: "admin@your-domain.com"
domains: ["reforms.your-domain.com"]
autoRenew: true
hsts:
enabled: true
maxAge: 31536000
includeSubdomains: true
Access Control
# config/access-control.yaml
authentication:
methods:
- type: "self-sovereign"
required: true
- type: "oauth2"
provider: "active-directory"
clientId: "${AD_CLIENT_ID}"
optional: true
authorization:
rbac:
enabled: true
roles:
- name: "admin"
permissions: ["*"]
- name: "user"
permissions: ["chat", "call", "file-transfer"]
- name: "guest"
permissions: ["chat"]
policies:
- resource: "file-transfer"
condition: "file.size < 100MB"
- resource: "group-call"
condition: "participants <= 50"
🌍 Multi-Region Deployment
Global Configuration
# config/global.yaml
deployment:
strategy: "multi-region"
regions:
- name: "us-east-1"
primary: true
endpoint: "https://us-east.reforms.com"
datacenter: "AWS us-east-1"
- name: "eu-west-1"
primary: false
endpoint: "https://eu-west.reforms.com"
datacenter: "AWS eu-west-1"
- name: "ap-southeast-1"
primary: false
endpoint: "https://ap-southeast.reforms.com"
datacenter: "AWS ap-southeast-1"
routing:
strategy: "latency-based"
healthCheck:
enabled: true
interval: 30
timeout: 5
failover:
automatic: true
threshold: 3
dataSync:
method: "eventual-consistency"
conflictResolution: "last-write-wins"
📊 Monitoring & Observability
Metrics Configuration
# config/monitoring.yaml
metrics:
enabled: true
exporters:
- type: "prometheus"
endpoint: "/metrics"
port: 9090
- type: "cloudwatch"
region: "us-east-1"
dashboard:
grafana:
enabled: true
datasource: "prometheus"
logging:
structured: true
format: "json"
appenders:
- type: "console"
level: "info"
- type: "file"
level: "debug"
path: "/var/log/reforms/app.log"
rotation: "daily"
- type: "elasticsearch"
level: "warn"
endpoint: "https://logs.your-domain.com"
tracing:
enabled: true
sampler: "probabilistic"
rate: 0.1
exporter: "jaeger"
Health Checks
# config/health.yaml
health:
checks:
- name: "database"
type: "sql"
query: "SELECT 1"
interval: 30
- name: "signaling"
type: "websocket"
endpoint: "wss://localhost:8443/ws"
interval: 60
- name: "turn-server"
type: "udp"
host: "turn.your-domain.com"
port: 3478
interval: 120
alerts:
slack:
webhook: "${SLACK_WEBHOOK_URL}"
channel: "#ops-alerts"
email:
smtp: "smtp.your-domain.com"
recipients: ["ops@your-domain.com"]
🐳 Container Configuration
Docker Compose
# docker-compose.yml
version: '3.8'
services:
reforms-server:
image: reforms/messenger:latest
ports:
- "8443:8443"
environment:
- REFORMS_MODE=production
- REFORMS_CONFIG=/app/config/production.yaml
volumes:
- ./config:/app/config
- ./ssl:/etc/ssl
- ./logs:/var/log/reforms
restart: unless-stopped
redis:
image: redis:7-alpine
ports:
- "6379:6379"
volumes:
- redis-data:/data
restart: unless-stopped
postgres:
image: postgres:15
environment:
- POSTGRES_DB=reforms
- POSTGRES_USER=reforms
- POSTGRES_PASSWORD=${DB_PASSWORD}
volumes:
- postgres-data:/var/lib/postgresql/data
restart: unless-stopped
volumes:
redis-data:
postgres-data:
Kubernetes Deployment
# k8s/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: reforms-messenger
spec:
replicas: 3
selector:
matchLabels:
app: reforms-messenger
template:
metadata:
labels:
app: reforms-messenger
spec:
containers:
- name: reforms
image: reforms/messenger:latest
ports:
- containerPort: 8443
env:
- name: REFORMS_MODE
value: "production"
volumeMounts:
- name: config
mountPath: /app/config
- name: ssl
mountPath: /etc/ssl
volumes:
- name: config
configMap:
name: reforms-config
- name: ssl
secret:
secretName: reforms-ssl
⚡ Configuration Examples
Startup Scripts
#!/bin/bash
# scripts/start-production.sh
# Set environment
export NODE_ENV=production
export REFORMS_CONFIG_PATH=/etc/reforms/config.yaml
# Validate configuration
reforms validate-config
# Start with clustering
reforms start \
--cluster \
--workers=4 \
--log-level=info \
--metrics \
--health-check
Configuration Validation
// scripts/validate-config.ts
import { validateConfig } from '@reforms/config';
async function main() {
try {
const config = await validateConfig(process.env.REFORMS_CONFIG_PATH);
console.log('✅ Configuration is valid');
// Check compliance requirements
if (config.compliance?.standard) {
console.log(`📋 Compliance: ${config.compliance.standard}`);
}
// Verify certificates
if (config.ssl?.enabled) {
console.log('🔒 SSL configuration validated');
}
} catch (error) {
console.error('❌ Configuration validation failed:', error.message);
process.exit(1);
}
}
main();
🎯 Best Practices
Security Best Practices
- Always use HTTPS in production
- Enable HSTS for web deployments
- Rotate certificates regularly (automated)
- Use strong ciphers (TLS 1.3 only)
- Enable audit logging for compliance
- Restrict network access to essential ports
- Use time-limited TURN credentials
Performance Best Practices
- Size clusters appropriately based on load
- Enable hardware acceleration when available
- Use CDN for static assets
- Configure adaptive bitrate for media
- Monitor connection quality continuously
- Implement health checks for all services
Operational Best Practices
- Use infrastructure as code (Terraform, CloudFormation)
- Implement blue-green deployments
- Set up comprehensive monitoring
- Plan disaster recovery procedures
- Regular security audits and updates
- Document all configurations
Your configuration, optimized. Your deployment, secure. Your operation, simplified.