154 lines
8.0 KiB
Plaintext
154 lines
8.0 KiB
Plaintext
# =============================================================================
|
||
# RWA Backend Services - Production Environment Configuration
|
||
# =============================================================================
|
||
#
|
||
# Deployment Topology:
|
||
# ┌─────────────────────────────────────────────────────────────────────────┐
|
||
# │ Internet (https://rwaapi.szaiai.com) │
|
||
# └─────────────────────────────────────────────────────────────────────────┘
|
||
# │
|
||
# ▼
|
||
# ┌─────────────────────────────────────────────────────────────────────────┐
|
||
# │ Server A (Gateway) - 119.145.15.38 (Public) / 192.168.1.100 (Internal) │
|
||
# │ nginx (SSL termination) → Kong (API Gateway) │
|
||
# └─────────────────────────────────────────────────────────────────────────┘
|
||
# │
|
||
# ▼
|
||
# ┌─────────────────────────────────────────────────────────────────────────┐
|
||
# │ Server B (Backend) - 192.168.1.111 (Internal Only) │
|
||
# │ ├── Microservices (identity, wallet, mpc-service, blockchain, etc.) │
|
||
# │ ├── MPC System (account-service, session-coordinator, message-router) │
|
||
# │ └── Infrastructure (PostgreSQL, Redis, Kafka) │
|
||
# └─────────────────────────────────────────────────────────────────────────┘
|
||
#
|
||
# Setup Instructions:
|
||
# 1. Copy this file: cp .env.example .env
|
||
# 2. Update ALL password/secret values (generate with openssl commands below)
|
||
# 3. Start services: ./deploy.sh up
|
||
#
|
||
# WARNING: Never commit .env to version control!
|
||
# =============================================================================
|
||
|
||
# =============================================================================
|
||
# Network Configuration
|
||
# =============================================================================
|
||
# Public domain for the API
|
||
PUBLIC_DOMAIN=rwaapi.szaiai.com
|
||
|
||
# Server A: Gateway server (nginx + kong)
|
||
GATEWAY_SERVER_PUBLIC_IP=119.145.15.38
|
||
GATEWAY_SERVER_INTERNAL_IP=192.168.1.100
|
||
|
||
# Server B: Backend services server
|
||
BACKEND_SERVER_IP=192.168.1.111
|
||
|
||
# =============================================================================
|
||
# PostgreSQL Database
|
||
# =============================================================================
|
||
POSTGRES_USER=rwa_user
|
||
# SECURITY: Generate with: openssl rand -base64 32
|
||
POSTGRES_PASSWORD=your_secure_password_here
|
||
|
||
# =============================================================================
|
||
# Redis Cache
|
||
# =============================================================================
|
||
# Leave empty if Redis is only accessible within Docker network
|
||
# For additional security, generate with: openssl rand -base64 24
|
||
REDIS_PASSWORD=
|
||
|
||
# =============================================================================
|
||
# JWT Configuration
|
||
# =============================================================================
|
||
# SECURITY: Generate with: openssl rand -base64 32
|
||
JWT_SECRET=your_jwt_secret_here
|
||
|
||
# =============================================================================
|
||
# Service-to-Service Authentication
|
||
# =============================================================================
|
||
# SECURITY: Generate with: openssl rand -base64 32
|
||
SERVICE_JWT_SECRET=your_service_jwt_secret_here
|
||
|
||
# =============================================================================
|
||
# Wallet Encryption
|
||
# =============================================================================
|
||
# SECURITY: Generate with: openssl rand -base64 32
|
||
WALLET_ENCRYPTION_SALT=your_wallet_salt_here
|
||
|
||
# =============================================================================
|
||
# Backup Service Encryption
|
||
# =============================================================================
|
||
# SECURITY: Generate 256-bit hex key with: openssl rand -hex 32
|
||
BACKUP_ENCRYPTION_KEY=your_64_char_hex_key_here
|
||
|
||
# =============================================================================
|
||
# MPC Share Encryption
|
||
# =============================================================================
|
||
# SECURITY: Generate 256-bit hex key with: openssl rand -hex 32
|
||
# WARNING: If you lose this key, encrypted shares cannot be recovered!
|
||
SHARE_MASTER_KEY=your_64_char_hex_key_here
|
||
|
||
# =============================================================================
|
||
# MPC System Configuration (Go TSS Backend on Server B)
|
||
# =============================================================================
|
||
# These URLs are used when services communicate directly with mpc-system
|
||
# Note: In Docker Compose, services use internal Docker network names instead
|
||
MPC_COORDINATOR_URL=http://192.168.1.111:8081
|
||
MPC_MESSAGE_ROUTER_URL=ws://192.168.1.111:8082
|
||
MPC_ACCOUNT_SERVICE_URL=http://192.168.1.111:4000
|
||
|
||
# MPC JWT Secret - MUST match mpc-system's JWT_SECRET_KEY
|
||
# SECURITY: Generate with: openssl rand -base64 48
|
||
MPC_JWT_SECRET=change_this_jwt_secret_key_to_random_value_min_32_chars
|
||
|
||
# =============================================================================
|
||
# MinIO Object Storage (Server A: 192.168.1.100)
|
||
# =============================================================================
|
||
# MinIO S3 API endpoint (internal LAN access)
|
||
MINIO_ENDPOINT=192.168.1.100
|
||
MINIO_PORT=9000
|
||
MINIO_USE_SSL=false
|
||
|
||
# MinIO credentials (must match minio server config)
|
||
MINIO_ACCESS_KEY=admin
|
||
MINIO_SECRET_KEY=change_me_to_secure_password
|
||
|
||
# Bucket for user avatars
|
||
MINIO_BUCKET_AVATARS=avatars
|
||
|
||
# Public URL for accessing files
|
||
MINIO_PUBLIC_URL=https://minio.szaiai.com
|
||
|
||
# =============================================================================
|
||
# MPC Hot Wallet (用于提现转账)
|
||
# =============================================================================
|
||
# 热钱包用户名(MPC 系统中的标识)
|
||
HOT_WALLET_USERNAME=rwadurian-system-hot-wallet-01
|
||
|
||
# 热钱包地址(从 MPC 公钥派生的 EVM 地址)
|
||
HOT_WALLET_ADDRESS=0x895aaf83C57f807416E3BbBd093d7aB74a6FDd33
|
||
|
||
# =============================================================================
|
||
# Aliyun SMS Service (阿里云短信服务)
|
||
# =============================================================================
|
||
# 阿里云 AccessKey (建议使用 RAM 子账号,仅开通短信服务权限)
|
||
# 获取地址: https://ram.console.aliyun.com/manage/ak
|
||
ALIYUN_ACCESS_KEY_ID=your_aliyun_access_key_id_here
|
||
ALIYUN_ACCESS_KEY_SECRET=your_aliyun_access_key_secret_here
|
||
|
||
# 短信签名 (需在阿里云短信控制台申请)
|
||
# 申请地址: https://dysms.console.aliyun.com/domestic/text/sign
|
||
ALIYUN_SMS_SIGN_NAME=榴莲皇后
|
||
|
||
# 短信模板代码 (需在阿里云短信控制台申请)
|
||
# 申请地址: https://dysms.console.aliyun.com/domestic/text/template
|
||
# 模板示例内容: 您的验证码是${code},5分钟内有效。
|
||
ALIYUN_SMS_TEMPLATE_CODE=SMS_123456789
|
||
|
||
# 阿里云短信 API 端点 (通常无需修改)
|
||
ALIYUN_SMS_ENDPOINT=dysmsapi.aliyuncs.com
|
||
|
||
# 是否启用真实短信发送
|
||
# false: 模拟模式,验证码打印到日志 (开发/测试环境推荐)
|
||
# true: 真实发送短信到手机 (生产环境)
|
||
SMS_ENABLED=false
|