# ============================================================================= # Identity Service - Production Environment Configuration # ============================================================================= # # Deployment: Server B (192.168.1.111) # Role: User account management, authentication, wallet address storage # # Flow: Kong → identity-service → mpc-service → blockchain-service # ↑ ↓ # └────────────────── Kafka ←───────────────────┘ # # Setup: # 1. Copy to .env: cp .env.example .env # 2. In Docker Compose mode, most values are overridden by docker-compose.yml # 3. For local development, update values below # ============================================================================= # ============================================================================= # Application # ============================================================================= APP_PORT=3000 APP_ENV="production" # ============================================================================= # Database (PostgreSQL on Server B) # ============================================================================= # Docker Compose: postgresql://rwa_user:xxx@postgres:5432/rwa_identity # Direct access: postgresql://rwa_user:xxx@192.168.1.111:5432/rwa_identity DATABASE_URL="postgresql://rwa_user:your_password@192.168.1.111:5432/rwa_identity?schema=public" # ============================================================================= # JWT Configuration # ============================================================================= # SECURITY: Generate with: openssl rand -base64 32 # MUST match JWT_SECRET in backend/services/.env JWT_SECRET="your-super-secret-jwt-key-change-in-production" JWT_ACCESS_EXPIRES_IN="2h" JWT_REFRESH_EXPIRES_IN="30d" # ============================================================================= # Redis (on Server B) # ============================================================================= # Docker Compose: redis / Direct: 192.168.1.111 REDIS_HOST="192.168.1.111" REDIS_PORT=6379 REDIS_PASSWORD="" REDIS_DB=0 # ============================================================================= # Kafka (on Server B) # ============================================================================= # Docker Compose: kafka:29092 / Direct: 192.168.1.111:9092 KAFKA_BROKERS="192.168.1.111:9092" KAFKA_CLIENT_ID="identity-service" KAFKA_GROUP_ID="identity-service-group" # ============================================================================= # SMS Service - Aliyun (阿里云短信服务) # ============================================================================= # 阿里云 AccessKey (建议使用 RAM 子账号) # 创建地址: https://ram.console.aliyun.com/manage/ak ALIYUN_ACCESS_KEY_ID="your-aliyun-access-key-id" ALIYUN_ACCESS_KEY_SECRET="your-aliyun-access-key-secret" # 短信签名 (需在阿里云短信控制台申请) # 例如: "榴莲皇后" ALIYUN_SMS_SIGN_NAME="榴莲皇后" # 短信模板代码 (需在阿里云短信控制台申请) # 验证码模板示例: SMS_123456789 # 模板内容: 您的验证码是${code},5分钟内有效。 ALIYUN_SMS_TEMPLATE_CODE="SMS_123456789" # 阿里云短信 API 端点 (默认无需修改) ALIYUN_SMS_ENDPOINT="dysmsapi.aliyuncs.com" # 是否启用真实短信发送 (开发环境建议设为 false) # false: 模拟模式,验证码打印到日志 # true: 真实发送短信 SMS_ENABLED="false" # ============================================================================= # Wallet Encryption # ============================================================================= # SECURITY: Generate with: openssl rand -base64 32 WALLET_ENCRYPTION_SALT="rwa-wallet-salt-change-in-production" # ============================================================================= # MPC Service Configuration # ============================================================================= # Flow: identity-service → mpc-service (NestJS) → mpc-system (Go/TSS) # # Docker Compose: http://mpc-service:3006 # Direct access: http://192.168.1.111:3006 MPC_SERVICE_URL="http://192.168.1.111:3006" # MPC Mode: # - local: Mock mode for testing (generates random addresses) # - remote: Production mode (calls mpc-service for real MPC keygen) MPC_MODE="remote" # Use Kafka event-driven communication for MPC operations # Recommended: true for production (async, more reliable) MPC_USE_EVENT_DRIVEN="true" # ============================================================================= # Backup Service Configuration # ============================================================================= # SECURITY: For production, deploy backup-service on a DIFFERENT server! # This ensures no single point of failure for encrypted key shares. # # Docker Compose: http://backup-service:3002 # Direct access: http://192.168.1.111:3002 (or different server IP) BACKUP_SERVICE_URL="http://192.168.1.111:3002" BACKUP_SERVICE_ENABLED="true" # Service-to-service authentication secret # MUST match SERVICE_JWT_SECRET in backup-service # SECURITY: Generate with: openssl rand -base64 32 SERVICE_JWT_SECRET="your-service-jwt-secret-change-in-production" # ============================================================================= # Blockchain RPC URLs (for address verification, external endpoints) # ============================================================================= KAVA_RPC_URL="https://evm.kava.io" BSC_RPC_URL="https://bsc-dataseed.binance.org" # ============================================================================= # MinIO Object Storage Configuration (Server A: 192.168.1.100) # ============================================================================= # MinIO S3 API endpoint # - LAN access: 192.168.1.100:9000 # - Domain: minio.szaiai.com (for external access) MINIO_ENDPOINT="192.168.1.100" MINIO_PORT=9000 MINIO_USE_SSL=false # MinIO credentials (must match minio server config) MINIO_ACCESS_KEY="admin" MINIO_SECRET_KEY="change_me_to_secure_password" # Bucket for user avatars MINIO_BUCKET_AVATARS="avatars" # Public URL for accessing files # Users access files via: https://minio.szaiai.com/avatars/{userId}/{uuid}.jpg MINIO_PUBLIC_URL="https://minio.szaiai.com"