120 lines
6.5 KiB
Plaintext
120 lines
6.5 KiB
Plaintext
# =============================================================================
|
|
# RWA Backend Services - Production Environment Configuration
|
|
# =============================================================================
|
|
#
|
|
# Deployment Topology:
|
|
# ┌─────────────────────────────────────────────────────────────────────────┐
|
|
# │ Internet (https://rwaapi.szaiai.com) │
|
|
# └─────────────────────────────────────────────────────────────────────────┘
|
|
# │
|
|
# ▼
|
|
# ┌─────────────────────────────────────────────────────────────────────────┐
|
|
# │ Server A (Gateway) - 119.145.15.38 (Public) / 192.168.1.100 (Internal) │
|
|
# │ nginx (SSL termination) → Kong (API Gateway) │
|
|
# └─────────────────────────────────────────────────────────────────────────┘
|
|
# │
|
|
# ▼
|
|
# ┌─────────────────────────────────────────────────────────────────────────┐
|
|
# │ Server B (Backend) - 192.168.1.111 (Internal Only) │
|
|
# │ ├── Microservices (identity, wallet, mpc-service, blockchain, etc.) │
|
|
# │ ├── MPC System (account-service, session-coordinator, message-router) │
|
|
# │ └── Infrastructure (PostgreSQL, Redis, Kafka) │
|
|
# └─────────────────────────────────────────────────────────────────────────┘
|
|
#
|
|
# Setup Instructions:
|
|
# 1. Copy this file: cp .env.example .env
|
|
# 2. Update ALL password/secret values (generate with openssl commands below)
|
|
# 3. Start services: ./deploy.sh up
|
|
#
|
|
# WARNING: Never commit .env to version control!
|
|
# =============================================================================
|
|
|
|
# =============================================================================
|
|
# Network Configuration
|
|
# =============================================================================
|
|
# Public domain for the API
|
|
PUBLIC_DOMAIN=rwaapi.szaiai.com
|
|
|
|
# Server A: Gateway server (nginx + kong)
|
|
GATEWAY_SERVER_PUBLIC_IP=119.145.15.38
|
|
GATEWAY_SERVER_INTERNAL_IP=192.168.1.100
|
|
|
|
# Server B: Backend services server
|
|
BACKEND_SERVER_IP=192.168.1.111
|
|
|
|
# =============================================================================
|
|
# PostgreSQL Database
|
|
# =============================================================================
|
|
POSTGRES_USER=rwa_user
|
|
# SECURITY: Generate with: openssl rand -base64 32
|
|
POSTGRES_PASSWORD=your_secure_password_here
|
|
|
|
# =============================================================================
|
|
# Redis Cache
|
|
# =============================================================================
|
|
# Leave empty if Redis is only accessible within Docker network
|
|
# For additional security, generate with: openssl rand -base64 24
|
|
REDIS_PASSWORD=
|
|
|
|
# =============================================================================
|
|
# JWT Configuration
|
|
# =============================================================================
|
|
# SECURITY: Generate with: openssl rand -base64 32
|
|
JWT_SECRET=your_jwt_secret_here
|
|
|
|
# =============================================================================
|
|
# Service-to-Service Authentication
|
|
# =============================================================================
|
|
# SECURITY: Generate with: openssl rand -base64 32
|
|
SERVICE_JWT_SECRET=your_service_jwt_secret_here
|
|
|
|
# =============================================================================
|
|
# Wallet Encryption
|
|
# =============================================================================
|
|
# SECURITY: Generate with: openssl rand -base64 32
|
|
WALLET_ENCRYPTION_SALT=your_wallet_salt_here
|
|
|
|
# =============================================================================
|
|
# Backup Service Encryption
|
|
# =============================================================================
|
|
# SECURITY: Generate 256-bit hex key with: openssl rand -hex 32
|
|
BACKUP_ENCRYPTION_KEY=your_64_char_hex_key_here
|
|
|
|
# =============================================================================
|
|
# MPC Share Encryption
|
|
# =============================================================================
|
|
# SECURITY: Generate 256-bit hex key with: openssl rand -hex 32
|
|
# WARNING: If you lose this key, encrypted shares cannot be recovered!
|
|
SHARE_MASTER_KEY=your_64_char_hex_key_here
|
|
|
|
# =============================================================================
|
|
# MPC System Configuration (Go TSS Backend on Server B)
|
|
# =============================================================================
|
|
# These URLs are used when services communicate directly with mpc-system
|
|
# Note: In Docker Compose, services use internal Docker network names instead
|
|
MPC_COORDINATOR_URL=http://192.168.1.111:8081
|
|
MPC_MESSAGE_ROUTER_URL=ws://192.168.1.111:8082
|
|
MPC_ACCOUNT_SERVICE_URL=http://192.168.1.111:4000
|
|
|
|
# MPC JWT Secret - MUST match mpc-system's JWT_SECRET_KEY
|
|
# SECURITY: Generate with: openssl rand -base64 48
|
|
MPC_JWT_SECRET=change_this_jwt_secret_key_to_random_value_min_32_chars
|
|
|
|
# =============================================================================
|
|
# MinIO Object Storage (Server A: 192.168.1.100)
|
|
# =============================================================================
|
|
# MinIO S3 API endpoint (internal LAN access)
|
|
MINIO_ENDPOINT=192.168.1.100
|
|
MINIO_PORT=9000
|
|
MINIO_USE_SSL=false
|
|
|
|
# MinIO credentials (must match minio server config)
|
|
MINIO_ACCESS_KEY=admin
|
|
MINIO_SECRET_KEY=change_me_to_secure_password
|
|
|
|
# Bucket for user avatars
|
|
MINIO_BUCKET_AVATARS=avatars
|
|
|
|
# Public URL for accessing files
|
|
MINIO_PUBLIC_URL=https://minio.szaiai.com
|