diff --git a/backend/api-gateway/.env.example b/backend/api-gateway/.env.example index 9d792269..4d282f5a 100644 --- a/backend/api-gateway/.env.example +++ b/backend/api-gateway/.env.example @@ -1,16 +1,51 @@ # ============================================================================= -# API Gateway (Kong) - Environment Configuration +# API Gateway (Kong) - Production Environment Configuration # ============================================================================= -# This file contains all environment variables needed for Kong API Gateway. +# +# Deployment: Server A (192.168.1.100) +# Role: API gateway with rate limiting, authentication, and routing +# +# Architecture: +# ┌─────────────────────────────────────────────────────────────────────────┐ +# │ Internet (https://rwaapi.szaiai.com) │ +# └─────────────────────────────────────────────────────────────────────────┘ +# │ +# ▼ +# ┌─────────────────────────────────────────────────────────────────────────┐ +# │ Server A - 119.145.15.38 (Public) / 192.168.1.100 (Internal) │ +# │ ├── nginx (port 80/443) - SSL termination, reverse proxy │ +# │ ├── Kong (port 8000) - API gateway, routing, rate limiting │ +# │ └── Kong Admin (8001) - Admin API (internal only) │ +# └─────────────────────────────────────────────────────────────────────────┘ +# │ +# ▼ +# ┌─────────────────────────────────────────────────────────────────────────┐ +# │ Server B - 192.168.1.111 (Internal Only) │ +# │ └── Microservices (identity:3000, wallet:3001, mpc:3006, etc.) │ +# └─────────────────────────────────────────────────────────────────────────┘ # # Setup Instructions: # 1. Copy this file: cp .env.example .env # 2. Update values according to your deployment environment -# 3. Start services: ./deploy.sh up +# 3. Update kong.yml service URLs to point to 192.168.1.111 +# 4. Start services: ./deploy.sh up # # IMPORTANT: In production, change all default passwords and secrets! # ============================================================================= +# ============================================================================= +# Network Configuration +# ============================================================================= +# Public domain for the API +PUBLIC_DOMAIN=rwaapi.szaiai.com + +# Server A: Gateway server (this server) +GATEWAY_SERVER_PUBLIC_IP=119.145.15.38 +GATEWAY_SERVER_INTERNAL_IP=192.168.1.100 + +# Server B: Backend services server +BACKEND_SERVER_IP=192.168.1.111 + # ============================================================================= # Kong Database Configuration # ============================================================================= @@ -25,10 +60,10 @@ KONG_PG_PASSWORD=kong_password # Kong Admin GUI Configuration # ============================================================================= # Admin GUI URL - Update to match your deployment domain -# Examples: -# Development: http://localhost:8002 -# Production: https://admin.yourdomain.com -KONG_ADMIN_GUI_URL=http://localhost:8002 +# For production with nginx reverse proxy: +# https://admin.rwaapi.szaiai.com or internal only access +# SECURITY: Consider not exposing admin GUI publicly! +KONG_ADMIN_GUI_URL=http://192.168.1.100:8002 # ============================================================================= # Monitoring Stack Configuration (Optional) @@ -40,34 +75,35 @@ GRAFANA_ADMIN_PASSWORD=admin123 # Grafana Root URL - CRITICAL: Must match the actual URL users access Grafana from # IMPORTANT: This affects CORS, redirects, and authentication! -# Examples: -# Local development: http://localhost:3030 -# Production with Nginx+SSL: https://monitor.szaiai.com -# Production without SSL: http://monitor.szaiai.com # -# If you use install-monitor.sh with domain "monitor.szaiai.com", set: +# For your deployment with nginx SSL: # GRAFANA_ROOT_URL=https://monitor.szaiai.com # # Common mistake: Setting localhost when accessing via domain causes "origin not allowed" error! # After changing this value, you MUST restart monitoring services: # ./deploy.sh monitoring down && ./deploy.sh monitoring up -GRAFANA_ROOT_URL=http://localhost:3030 +GRAFANA_ROOT_URL=https://monitor.szaiai.com # Docker network name for monitoring services # Note: This should match the network created by docker-compose.yml NETWORK_NAME=api-gateway_rwa-network # ============================================================================= -# Backend Services Configuration +# Kong Upstream Service URLs (for kong.yml configuration) # ============================================================================= -# Backend server IP address for connectivity checks -# IMPORTANT: Update this to the actual IP where your microservices are deployed! -# You MUST also update service URLs in kong.yml to match this IP -# Examples: -# Local development: 127.0.0.1 -# Remote server: 192.168.1.111 -# Same server: 127.0.0.1 +# These are reference values - actual configuration is in kong.yml +# All services run on Server B (192.168.1.111): # -# Default is example IP - CHANGE THIS to your actual backend server IP! -# If backend is on same server as Kong, use 127.0.0.1 -BACKEND_SERVER_IP=192.168.1.111 +# identity-service: http://192.168.1.111:3000 +# wallet-service: http://192.168.1.111:3001 +# backup-service: http://192.168.1.111:3002 +# planting-service: http://192.168.1.111:3003 +# referral-service: http://192.168.1.111:3004 +# reward-service: http://192.168.1.111:3005 +# mpc-service: http://192.168.1.111:3006 +# leaderboard-service: http://192.168.1.111:3007 +# reporting-service: http://192.168.1.111:3008 +# authorization-service: http://192.168.1.111:3009 +# admin-service: http://192.168.1.111:3010 +# presence-service: http://192.168.1.111:3011 +# blockchain-service: http://192.168.1.111:3012 diff --git a/backend/infrastructure/.env.example b/backend/infrastructure/.env.example index c4f11eeb..f52aaec8 100644 --- a/backend/infrastructure/.env.example +++ b/backend/infrastructure/.env.example @@ -1,47 +1,94 @@ # ============================================================================= -# RWA Infrastructure - 环境变量配置 +# RWA Infrastructure - Production Environment Configuration # ============================================================================= -# 复制此文件为 .env 并修改配置 +# +# Deployment: Server B (192.168.1.111) or separate monitoring server +# Role: Observability stack - metrics, logs, tracing, service discovery +# +# Components: +# ┌─────────────────────────────────────────────────────────────────────────┐ +# │ Observability Stack │ +# ├─────────────────────────────────────────────────────────────────────────┤ +# │ Grafana :3030 - Dashboards and visualization │ +# │ Prometheus :9090 - Metrics collection and alerting │ +# │ Loki :3100 - Log aggregation │ +# │ Jaeger :16686 - Distributed tracing │ +# │ Consul :8500 - Service discovery (optional) │ +# └─────────────────────────────────────────────────────────────────────────┘ +# +# Network Topology: +# Server A (192.168.1.100): Kong API Gateway +# Server B (192.168.1.111): Microservices + MPC System +# Prometheus scrapes metrics from both servers +# +# Setup: +# 1. Copy to .env: cp .env.example .env +# 2. Update passwords and URLs +# 3. Start: docker-compose up -d # ============================================================================= -# ----------------------------------------------------------------------------- -# Consul 配置 -# ----------------------------------------------------------------------------- +# ============================================================================= +# Network Configuration +# ============================================================================= +# Server A: Gateway (Kong) +KONG_SERVER_IP=192.168.1.100 + +# Server B: Backend services +BACKEND_SERVER_IP=192.168.1.111 + +# Public domain +PUBLIC_DOMAIN=rwaapi.szaiai.com + +# ============================================================================= +# Consul Configuration (Service Discovery) +# ============================================================================= CONSUL_HTTP_PORT=8500 CONSUL_DNS_PORT=8600 -# ----------------------------------------------------------------------------- -# Jaeger 配置 -# ----------------------------------------------------------------------------- +# ============================================================================= +# Jaeger Configuration (Distributed Tracing) +# ============================================================================= JAEGER_UI_PORT=16686 -# ----------------------------------------------------------------------------- -# Loki 配置 -# ----------------------------------------------------------------------------- +# ============================================================================= +# Loki Configuration (Log Aggregation) +# ============================================================================= LOKI_PORT=3100 -# ----------------------------------------------------------------------------- -# Grafana 配置 -# ----------------------------------------------------------------------------- +# ============================================================================= +# Grafana Configuration (Dashboards) +# ============================================================================= GRAFANA_PORT=3030 GRAFANA_ADMIN_USER=admin +# SECURITY: Change this in production! +# Example command to generate: openssl rand -base64 24 GRAFANA_ADMIN_PASSWORD=admin123 -GRAFANA_ROOT_URL=http://localhost:3030 + +# Grafana Root URL - MUST match actual access URL for CORS/auth +# For internal access: http://192.168.1.111:3030 +# For external access with nginx: https://monitor.szaiai.com +GRAFANA_ROOT_URL=https://monitor.szaiai.com GRAFANA_LOG_LEVEL=info -# ----------------------------------------------------------------------------- -# Prometheus 配置 -# ----------------------------------------------------------------------------- +# ============================================================================= +# Prometheus Configuration (Metrics) +# ============================================================================= PROMETHEUS_PORT=9090 -# ----------------------------------------------------------------------------- -# 后端服务器 IP (用于 Prometheus 抓取) -# ----------------------------------------------------------------------------- -BACKEND_SERVER_IP=192.168.1.111 -KONG_SERVER_IP=192.168.1.100 +# Scrape targets (configured in prometheus.yml): +# - Kong: 192.168.1.100:8001/metrics +# - identity-service: 192.168.1.111:3000/metrics +# - wallet-service: 192.168.1.111:3001/metrics +# - mpc-service: 192.168.1.111:3006/metrics +# - blockchain-service: 192.168.1.111:3012/metrics +# - mpc-system services: 192.168.1.111:4000/metrics, etc. -# ----------------------------------------------------------------------------- -# PostgreSQL 配置 (用于 Grafana 数据源) -# ----------------------------------------------------------------------------- +# ============================================================================= +# PostgreSQL Configuration (for Grafana data source) +# ============================================================================= +# Connect to main RWA database for dashboards +POSTGRES_HOST=192.168.1.111 +POSTGRES_PORT=5432 POSTGRES_USER=rwa_user +# SECURITY: Use the same password as backend/services/.env POSTGRES_PASSWORD=your_password_here diff --git a/backend/mpc-system/.env.example b/backend/mpc-system/.env.example index d7bfb874..803b618a 100644 --- a/backend/mpc-system/.env.example +++ b/backend/mpc-system/.env.example @@ -1,7 +1,31 @@ # ============================================================================= -# MPC System - Environment Configuration +# MPC System - Production Environment Configuration # ============================================================================= -# This file contains all environment variables needed for MPC System deployment. +# +# Deployment: Server B (192.168.1.111) +# Role: Threshold Signature Scheme (TSS) backend for 2-of-3 MPC wallet operations +# +# Architecture: +# ┌─────────────────────────────────────────────────────────────────────────┐ +# │ MPC System Components (Go services on Server B) │ +# ├─────────────────────────────────────────────────────────────────────────┤ +# │ account-service :4000 - User account & session management │ +# │ session-coordinator :8081 - TSS protocol coordination │ +# │ message-router :8082 - WebSocket for P2P TSS messages │ +# │ server-party-api :8083 - Server-side party operations │ +# │ server-party-1 :8091 - TSS party instance 1 │ +# │ server-party-2 :8092 - TSS party instance 2 │ +# ├─────────────────────────────────────────────────────────────────────────┤ +# │ Infrastructure │ +# │ postgres :5432 - MPC database │ +# │ redis :6379 - Session cache │ +# │ rabbitmq :5672 - Internal message queue │ +# └─────────────────────────────────────────────────────────────────────────┘ +# +# Network Flow: +# mpc-service (NestJS) → account-service → session-coordinator → parties +# ↓ +# Mobile App → message-router (WebSocket) → client party # # Setup Instructions: # 1. Copy this file: cp .env.example .env @@ -22,6 +46,15 @@ # Options: development, staging, production ENVIRONMENT=production +# ============================================================================= +# Network Configuration +# ============================================================================= +# Server B internal IP (where MPC system runs) +MPC_SERVER_IP=192.168.1.111 + +# Server A internal IP (Kong gateway, for ALLOWED_IPS if needed) +GATEWAY_SERVER_IP=192.168.1.100 + # ============================================================================= # PostgreSQL Database Configuration # ============================================================================= @@ -58,6 +91,7 @@ RABBITMQ_PASSWORD=change_this_to_secure_rabbitmq_password # JWT signing secret key (minimum 32 characters) # SECURITY: Generate a strong random key in production! # Example command: openssl rand -base64 48 +# IMPORTANT: This MUST match MPC_JWT_SECRET in mpc-service configuration! JWT_SECRET_KEY=change_this_jwt_secret_key_to_random_value_min_32_chars # ============================================================================= @@ -82,12 +116,16 @@ MPC_API_KEY=change_this_api_key_to_match_your_mpc_service_config # Allowed IP addresses (comma-separated list) # Only these IPs can access the MPC system APIs # IMPORTANT: In production, restrict this to your actual backend server IP(s)! +# +# Recommended configuration for your environment: +# - 192.168.1.111: Server B (mpc-service running here) +# - 192.168.1.100: Server A (if Kong needs direct access) +# - 127.0.0.1: Local Docker network +# # Examples: # Single IP: ALLOWED_IPS=192.168.1.111 -# Multiple IPs: ALLOWED_IPS=192.168.1.111,192.168.1.112 -# Local only: ALLOWED_IPS=127.0.0.1 -# Allow all: ALLOWED_IPS= (empty, relies on API_KEY auth only - NOT RECOMMENDED for production) +# Multiple IPs: ALLOWED_IPS=192.168.1.111,192.168.1.100,127.0.0.1 +# Allow all: ALLOWED_IPS= (empty, relies on API_KEY auth only - NOT RECOMMENDED) # -# Default allows all IPs (protected by API_KEY authentication) -# SECURITY WARNING: Change this in production to specific backend server IP(s)! -ALLOWED_IPS= +# For your deployment (mpc-service on same server as mpc-system): +ALLOWED_IPS=192.168.1.111,127.0.0.1 diff --git a/backend/services/.env.example b/backend/services/.env.example index 18eb8c5c..1c00a961 100644 --- a/backend/services/.env.example +++ b/backend/services/.env.example @@ -1,32 +1,101 @@ # ============================================================================= -# RWA Backend Services - Environment Configuration Template +# RWA Backend Services - Production Environment Configuration # ============================================================================= -# Copy this file to .env and fill in the values +# +# Deployment Topology: +# ┌─────────────────────────────────────────────────────────────────────────┐ +# │ Internet (https://rwaapi.szaiai.com) │ +# └─────────────────────────────────────────────────────────────────────────┘ +# │ +# ▼ +# ┌─────────────────────────────────────────────────────────────────────────┐ +# │ Server A (Gateway) - 119.145.15.38 (Public) / 192.168.1.100 (Internal) │ +# │ nginx (SSL termination) → Kong (API Gateway) │ +# └─────────────────────────────────────────────────────────────────────────┘ +# │ +# ▼ +# ┌─────────────────────────────────────────────────────────────────────────┐ +# │ Server B (Backend) - 192.168.1.111 (Internal Only) │ +# │ ├── Microservices (identity, wallet, mpc-service, blockchain, etc.) │ +# │ ├── MPC System (account-service, session-coordinator, message-router) │ +# │ └── Infrastructure (PostgreSQL, Redis, Kafka) │ +# └─────────────────────────────────────────────────────────────────────────┘ +# +# Setup Instructions: +# 1. Copy this file: cp .env.example .env +# 2. Update ALL password/secret values (generate with openssl commands below) +# 3. Start services: ./deploy.sh up +# # WARNING: Never commit .env to version control! # ============================================================================= +# ============================================================================= +# Network Configuration +# ============================================================================= +# Public domain for the API +PUBLIC_DOMAIN=rwaapi.szaiai.com + +# Server A: Gateway server (nginx + kong) +GATEWAY_SERVER_PUBLIC_IP=119.145.15.38 +GATEWAY_SERVER_INTERNAL_IP=192.168.1.100 + +# Server B: Backend services server +BACKEND_SERVER_IP=192.168.1.111 + +# ============================================================================= # PostgreSQL Database +# ============================================================================= POSTGRES_USER=rwa_user +# SECURITY: Generate with: openssl rand -base64 32 POSTGRES_PASSWORD=your_secure_password_here -# Redis (leave empty for no password) +# ============================================================================= +# Redis Cache +# ============================================================================= +# Leave empty if Redis is only accessible within Docker network +# For additional security, generate with: openssl rand -base64 24 REDIS_PASSWORD= -# JWT Configuration (generate with: openssl rand -base64 32) +# ============================================================================= +# JWT Configuration +# ============================================================================= +# SECURITY: Generate with: openssl rand -base64 32 JWT_SECRET=your_jwt_secret_here +# ============================================================================= # Service-to-Service Authentication +# ============================================================================= +# SECURITY: Generate with: openssl rand -base64 32 SERVICE_JWT_SECRET=your_service_jwt_secret_here -# Wallet Encryption Salt +# ============================================================================= +# Wallet Encryption +# ============================================================================= +# SECURITY: Generate with: openssl rand -base64 32 WALLET_ENCRYPTION_SALT=your_wallet_salt_here -# Backup Encryption Key (256-bit hex: openssl rand -hex 32) +# ============================================================================= +# Backup Service Encryption +# ============================================================================= +# SECURITY: Generate 256-bit hex key with: openssl rand -hex 32 BACKUP_ENCRYPTION_KEY=your_64_char_hex_key_here -# MPC Share Master Key (256-bit hex: openssl rand -hex 32) +# ============================================================================= +# MPC Share Encryption +# ============================================================================= +# SECURITY: Generate 256-bit hex key with: openssl rand -hex 32 +# WARNING: If you lose this key, encrypted shares cannot be recovered! SHARE_MASTER_KEY=your_64_char_hex_key_here -# MPC System Address (running on 192.168.1.111) +# ============================================================================= +# MPC System Configuration (Go TSS Backend on Server B) +# ============================================================================= +# These URLs are used when services communicate directly with mpc-system +# Note: In Docker Compose, services use internal Docker network names instead MPC_COORDINATOR_URL=http://192.168.1.111:8081 MPC_MESSAGE_ROUTER_URL=ws://192.168.1.111:8082 +MPC_ACCOUNT_SERVICE_URL=http://192.168.1.111:4000 + +# MPC JWT Secret - MUST match mpc-system's JWT_SECRET_KEY +# SECURITY: Generate with: openssl rand -base64 48 +MPC_JWT_SECRET=change_this_jwt_secret_key_to_random_value_min_32_chars diff --git a/backend/services/blockchain-service/.env.example b/backend/services/blockchain-service/.env.example index 2ddcd049..b7f6fda0 100644 --- a/backend/services/blockchain-service/.env.example +++ b/backend/services/blockchain-service/.env.example @@ -1,36 +1,94 @@ +# ============================================================================= +# Blockchain Service - Production Environment Configuration +# ============================================================================= +# +# Deployment: Server B (192.168.1.111) +# Role: Blockchain address derivation, balance queries, transaction monitoring +# +# Responsibilities: +# - Derive multi-chain addresses from public keys (KAVA, DST, BSC) +# - Monitor blockchain transactions for deposit detection +# - Publish WalletAddressCreated events to Kafka +# - Query wallet balances across supported chains +# +# Flow: mpc-service → blockchain-service → Kafka → identity-service +# (publicKey) (derive addresses) (event) (save addresses) +# +# Setup: +# 1. Copy to .env: cp .env.example .env +# 2. In Docker Compose mode, most values are overridden by docker-compose.yml +# ============================================================================= + +# ============================================================================= # Application -NODE_ENV=development +# ============================================================================= +NODE_ENV=production PORT=3012 SERVICE_NAME=blockchain-service +API_PREFIX=api/v1 -# Database -DATABASE_URL=postgresql://rwa:rwa_password@localhost:5432/rwa_blockchain?schema=public +# ============================================================================= +# Database (PostgreSQL on Server B) +# ============================================================================= +# Docker Compose: postgresql://rwa_user:xxx@postgres:5432/rwa_blockchain +# Direct access: postgresql://rwa_user:xxx@192.168.1.111:5432/rwa_blockchain +DATABASE_URL=postgresql://rwa_user:your_password@192.168.1.111:5432/rwa_blockchain?schema=public -# Redis -REDIS_HOST=localhost +# ============================================================================= +# Redis (on Server B) +# ============================================================================= +# Docker Compose: redis / Direct: 192.168.1.111 +REDIS_HOST=192.168.1.111 REDIS_PORT=6379 REDIS_DB=11 REDIS_PASSWORD= -# Kafka -KAFKA_BROKERS=localhost:9092 +# ============================================================================= +# Kafka (on Server B) +# ============================================================================= +# Docker Compose: kafka:29092 / Direct: 192.168.1.111:9092 +KAFKA_BROKERS=192.168.1.111:9092 KAFKA_CLIENT_ID=blockchain-service KAFKA_GROUP_ID=blockchain-service-group -# Blockchain - KAVA (EVM) +# ============================================================================= +# Blockchain - KAVA (EVM-compatible Cosmos chain) +# ============================================================================= +# Official KAVA EVM RPC endpoint KAVA_RPC_URL=https://evm.kava.io KAVA_CHAIN_ID=2222 +# KAVA USDT contract address KAVA_USDT_CONTRACT=0x919C1c267BC06a7039e03fcc2eF738525769109c -# Blockchain - BSC +# ============================================================================= +# Blockchain - BSC (Binance Smart Chain) +# ============================================================================= +# Public BSC RPC endpoint (consider using paid RPC for production) BSC_RPC_URL=https://bsc-dataseed.binance.org BSC_CHAIN_ID=56 +# BSC USDT (Binance-Peg) contract address BSC_USDT_CONTRACT=0x55d398326f99059fF775485246999027B3197955 -# Block Scanner +# ============================================================================= +# Blockchain - DST (Cosmos chain, placeholder) +# ============================================================================= +# DST_RPC_URL=https://rpc.dst.network +# DST_CHAIN_ID=dst-1 + +# ============================================================================= +# Block Scanner Configuration +# ============================================================================= +# Interval between block scans (milliseconds) BLOCK_SCAN_INTERVAL_MS=5000 + +# Number of confirmations required before considering transaction final BLOCK_CONFIRMATIONS_REQUIRED=12 + +# Maximum blocks to process in one batch BLOCK_SCAN_BATCH_SIZE=100 +# ============================================================================= # Logging -LOG_LEVEL=debug +# ============================================================================= +# Options: debug, info, warn, error +LOG_LEVEL=info diff --git a/backend/services/identity-service/.env.example b/backend/services/identity-service/.env.example index 584be756..c8069361 100644 --- a/backend/services/identity-service/.env.example +++ b/backend/services/identity-service/.env.example @@ -1,62 +1,107 @@ # ============================================================================= -# Identity Service - Environment Variables +# Identity Service - Production Environment Configuration +# ============================================================================= +# +# Deployment: Server B (192.168.1.111) +# Role: User account management, authentication, wallet address storage +# +# Flow: Kong → identity-service → mpc-service → blockchain-service +# ↑ ↓ +# └────────────────── Kafka ←───────────────────┘ +# +# Setup: +# 1. Copy to .env: cp .env.example .env +# 2. In Docker Compose mode, most values are overridden by docker-compose.yml +# 3. For local development, update values below # ============================================================================= +# ============================================================================= # Application +# ============================================================================= APP_PORT=3000 -APP_ENV="development" +APP_ENV="production" -# Database (PostgreSQL) -DATABASE_URL="postgresql://postgres:password@localhost:5432/rwa_identity?schema=public" +# ============================================================================= +# Database (PostgreSQL on Server B) +# ============================================================================= +# Docker Compose: postgresql://rwa_user:xxx@postgres:5432/rwa_identity +# Direct access: postgresql://rwa_user:xxx@192.168.1.111:5432/rwa_identity +DATABASE_URL="postgresql://rwa_user:your_password@192.168.1.111:5432/rwa_identity?schema=public" -# JWT +# ============================================================================= +# JWT Configuration +# ============================================================================= +# SECURITY: Generate with: openssl rand -base64 32 +# MUST match JWT_SECRET in backend/services/.env JWT_SECRET="your-super-secret-jwt-key-change-in-production" JWT_ACCESS_EXPIRES_IN="2h" JWT_REFRESH_EXPIRES_IN="30d" -# Redis -REDIS_HOST="localhost" +# ============================================================================= +# Redis (on Server B) +# ============================================================================= +# Docker Compose: redis / Direct: 192.168.1.111 +REDIS_HOST="192.168.1.111" REDIS_PORT=6379 REDIS_PASSWORD="" REDIS_DB=0 -# Kafka -KAFKA_BROKERS="localhost:9092" +# ============================================================================= +# Kafka (on Server B) +# ============================================================================= +# Docker Compose: kafka:29092 / Direct: 192.168.1.111:9092 +KAFKA_BROKERS="192.168.1.111:9092" KAFKA_CLIENT_ID="identity-service" KAFKA_GROUP_ID="identity-service-group" -# SMS Service +# ============================================================================= +# SMS Service (External) +# ============================================================================= SMS_API_URL="https://sms-api.example.com" SMS_API_KEY="your-sms-api-key" +# ============================================================================= # Wallet Encryption +# ============================================================================= +# SECURITY: Generate with: openssl rand -base64 32 WALLET_ENCRYPTION_SALT="rwa-wallet-salt-change-in-production" # ============================================================================= # MPC Service Configuration # ============================================================================= -# 调用路径: identity-service -> mpc-service (NestJS) -> mpc-system (Go) +# Flow: identity-service → mpc-service (NestJS) → mpc-system (Go/TSS) +# +# Docker Compose: http://mpc-service:3006 +# Direct access: http://192.168.1.111:3006 +MPC_SERVICE_URL="http://192.168.1.111:3006" -# MPC Service URL (NestJS gateway) -MPC_SERVICE_URL="http://localhost:3001" +# MPC Mode: +# - local: Mock mode for testing (generates random addresses) +# - remote: Production mode (calls mpc-service for real MPC keygen) +MPC_MODE="remote" -# MPC Mode: local (模拟) / remote (调用 mpc-service) -MPC_MODE="local" - -# Use event-driven communication for MPC operations +# Use Kafka event-driven communication for MPC operations +# Recommended: true for production (async, more reliable) MPC_USE_EVENT_DRIVEN="true" # ============================================================================= # Backup Service Configuration # ============================================================================= -# 安全要求: 必须部署在与 identity-service 不同的物理服务器上! +# SECURITY: For production, deploy backup-service on a DIFFERENT server! +# This ensures no single point of failure for encrypted key shares. +# +# Docker Compose: http://backup-service:3002 +# Direct access: http://192.168.1.111:3002 (or different server IP) +BACKUP_SERVICE_URL="http://192.168.1.111:3002" +BACKUP_SERVICE_ENABLED="true" -BACKUP_SERVICE_URL="http://backup-server:3002" -BACKUP_SERVICE_ENABLED="false" +# Service-to-service authentication secret +# MUST match SERVICE_JWT_SECRET in backup-service +# SECURITY: Generate with: openssl rand -base64 32 SERVICE_JWT_SECRET="your-service-jwt-secret-change-in-production" # ============================================================================= -# Blockchain RPC URLs (for address verification) +# Blockchain RPC URLs (for address verification, external endpoints) # ============================================================================= KAVA_RPC_URL="https://evm.kava.io" BSC_RPC_URL="https://bsc-dataseed.binance.org" diff --git a/backend/services/mpc-service/.env.example b/backend/services/mpc-service/.env.example index 08a55db4..c2cff5bf 100644 --- a/backend/services/mpc-service/.env.example +++ b/backend/services/mpc-service/.env.example @@ -1,69 +1,131 @@ # ============================================================================= -# MPC Service - Environment Variables +# MPC Service - Production Environment Configuration # ============================================================================= # -# mpc-service 作为 MPC 服务网关: -# 1. 缓存 username + publicKey 的映射关系 -# 2. 存储 delegate share -# 3. 转发请求到 mpc-system (Go/TSS实现) +# Deployment: Server B (192.168.1.111) +# Role: MPC gateway service that bridges NestJS microservices with Go TSS backend # +# Architecture: +# ┌─────────────────────────────────────────────────────────────────────────┐ +# │ mpc-service (NestJS on port 3006) │ +# │ ├── Caches username ↔ publicKey mappings │ +# │ ├── Stores delegate key shares (encrypted) │ +# │ ├── Forwards keygen/signing requests to mpc-system │ +# │ └── Publishes events to Kafka for identity-service │ +# └─────────────────────────────────────────────────────────────────────────┘ +# │ +# ▼ +# ┌─────────────────────────────────────────────────────────────────────────┐ +# │ mpc-system (Go/TSS on Server B) │ +# │ ├── account-service: port 4000 (session management) │ +# │ ├── session-coordinator: port 8081 (TSS coordination) │ +# │ ├── message-router: port 8082 (WebSocket for TSS messages) │ +# │ └── server-party-api: port 8083 (server party operations) │ +# └─────────────────────────────────────────────────────────────────────────┘ +# +# Setup: +# 1. Copy to .env: cp .env.example .env +# 2. In Docker Compose mode, most values are overridden by docker-compose.yml # ============================================================================= +# ============================================================================= # Application -NODE_ENV="development" -APP_PORT=3001 +# ============================================================================= +NODE_ENV="production" +APP_PORT=3006 API_PREFIX="api/v1" -# Database (PostgreSQL) -DATABASE_URL="postgresql://postgres:password@localhost:5432/rwa_mpc?schema=public" +# ============================================================================= +# Database (PostgreSQL on Server B) +# ============================================================================= +# Docker Compose: postgresql://rwa_user:xxx@rwa-postgres:5432/rwa_mpc +# Direct access: postgresql://rwa_user:xxx@192.168.1.111:5432/rwa_mpc +DATABASE_URL="postgresql://rwa_user:your_password@192.168.1.111:5432/rwa_mpc?schema=public" -# Redis -REDIS_HOST="localhost" +# ============================================================================= +# Redis (on Server B) +# ============================================================================= +# Docker Compose: rwa-redis / Direct: 192.168.1.111 +REDIS_HOST="192.168.1.111" REDIS_PORT=6379 REDIS_PASSWORD="" REDIS_DB=5 -# JWT +# ============================================================================= +# JWT Configuration +# ============================================================================= +# SECURITY: Generate with: openssl rand -base64 32 +# MUST match JWT_SECRET in backend/services/.env JWT_SECRET="your-jwt-secret-change-in-production" JWT_ACCESS_EXPIRES_IN="2h" JWT_REFRESH_EXPIRES_IN="30d" -# Kafka -KAFKA_BROKERS="localhost:9092" +# ============================================================================= +# Kafka (on Server B) +# ============================================================================= +# Docker Compose: rwa-kafka:29092 / Direct: 192.168.1.111:9092 +KAFKA_BROKERS="192.168.1.111:9092" KAFKA_CLIENT_ID="mpc-service" KAFKA_GROUP_ID="mpc-service-group" # ============================================================================= -# MPC System Configuration (Go/TSS Backend) +# MPC System Configuration (Go/TSS Backend on Server B) # ============================================================================= +# All mpc-system services run in Docker on Server B (192.168.1.111) -# MPC System Account Service URL (creates keygen/signing sessions) -MPC_SYSTEM_URL="http://192.168.1.111:4000" +# Account Service - Creates and manages keygen/signing sessions +# Docker Compose: http://mpc-account-service:8080 +# Direct access: http://192.168.1.111:4000 +MPC_ACCOUNT_SERVICE_URL="http://192.168.1.111:4000" -# API Key for authenticating with MPC system -MPC_API_KEY="your-mpc-api-key-change-in-production" - -# Session Coordinator URL (coordinates TSS sessions) +# Session Coordinator - Coordinates TSS protocol execution +# Docker Compose: http://mpc-session-coordinator:8080 +# Direct access: http://192.168.1.111:8081 MPC_COORDINATOR_URL="http://192.168.1.111:8081" +MPC_SESSION_COORDINATOR_URL="http://192.168.1.111:8081" -# Message Router WebSocket URL (TSS message routing) +# Message Router - WebSocket for TSS peer-to-peer messages +# Docker Compose: ws://mpc-message-router:8080 +# Direct access: ws://192.168.1.111:8082 MPC_MESSAGE_ROUTER_WS_URL="ws://192.168.1.111:8082" +# Server Party API - Server-side party operations +# Docker Compose: http://mpc-server-party-api:8080 +# Direct access: http://192.168.1.111:8083 +MPC_SERVER_PARTY_API_URL="http://192.168.1.111:8083" + +# MPC JWT Secret - MUST match mpc-system's JWT_SECRET_KEY +# SECURITY: Generate with: openssl rand -base64 48 +MPC_JWT_SECRET="change_this_jwt_secret_key_to_random_value_min_32_chars" + # Coordinator timeout in milliseconds MPC_COORDINATOR_TIMEOUT=30000 +# ============================================================================= +# Blockchain Service Configuration +# ============================================================================= +# Docker Compose: http://rwa-blockchain-service:3012 +# Direct access: http://192.168.1.111:3012 +BLOCKCHAIN_SERVICE_URL="http://192.168.1.111:3012" + # ============================================================================= # Share Encryption # ============================================================================= -# IMPORTANT: Generate a secure 32-byte hex key for production -# Example: openssl rand -hex 32 +# SECURITY: Generate 256-bit hex key with: openssl rand -hex 32 +# WARNING: If you lose this key, encrypted shares cannot be recovered! +# MUST match SHARE_MASTER_KEY in backend/services/.env SHARE_MASTER_KEY="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" # ============================================================================= # MPC Protocol Timeouts (in milliseconds) # ============================================================================= +# Keygen: 2-of-3 threshold key generation (typically 30-60 seconds) MPC_KEYGEN_TIMEOUT=300000 + +# Signing: Threshold signature generation (typically 5-15 seconds) MPC_SIGNING_TIMEOUT=180000 + +# Key refresh: Update key shares without changing public key MPC_REFRESH_TIMEOUT=300000 # =============================================================================