129 lines
5.6 KiB
Plaintext
129 lines
5.6 KiB
Plaintext
# =============================================================================
|
|
# Identity Service - Production Environment Configuration
|
|
# =============================================================================
|
|
#
|
|
# Deployment: Server B (192.168.1.111)
|
|
# Role: User account management, authentication, wallet address storage
|
|
#
|
|
# Flow: Kong → identity-service → mpc-service → blockchain-service
|
|
# ↑ ↓
|
|
# └────────────────── Kafka ←───────────────────┘
|
|
#
|
|
# Setup:
|
|
# 1. Copy to .env: cp .env.example .env
|
|
# 2. In Docker Compose mode, most values are overridden by docker-compose.yml
|
|
# 3. For local development, update values below
|
|
# =============================================================================
|
|
|
|
# =============================================================================
|
|
# Application
|
|
# =============================================================================
|
|
APP_PORT=3000
|
|
APP_ENV="production"
|
|
|
|
# =============================================================================
|
|
# Database (PostgreSQL on Server B)
|
|
# =============================================================================
|
|
# Docker Compose: postgresql://rwa_user:xxx@postgres:5432/rwa_identity
|
|
# Direct access: postgresql://rwa_user:xxx@192.168.1.111:5432/rwa_identity
|
|
DATABASE_URL="postgresql://rwa_user:your_password@192.168.1.111:5432/rwa_identity?schema=public"
|
|
|
|
# =============================================================================
|
|
# JWT Configuration
|
|
# =============================================================================
|
|
# SECURITY: Generate with: openssl rand -base64 32
|
|
# MUST match JWT_SECRET in backend/services/.env
|
|
JWT_SECRET="your-super-secret-jwt-key-change-in-production"
|
|
JWT_ACCESS_EXPIRES_IN="2h"
|
|
JWT_REFRESH_EXPIRES_IN="30d"
|
|
|
|
# =============================================================================
|
|
# Redis (on Server B)
|
|
# =============================================================================
|
|
# Docker Compose: redis / Direct: 192.168.1.111
|
|
REDIS_HOST="192.168.1.111"
|
|
REDIS_PORT=6379
|
|
REDIS_PASSWORD=""
|
|
REDIS_DB=0
|
|
|
|
# =============================================================================
|
|
# Kafka (on Server B)
|
|
# =============================================================================
|
|
# Docker Compose: kafka:29092 / Direct: 192.168.1.111:9092
|
|
KAFKA_BROKERS="192.168.1.111:9092"
|
|
KAFKA_CLIENT_ID="identity-service"
|
|
KAFKA_GROUP_ID="identity-service-group"
|
|
|
|
# =============================================================================
|
|
# SMS Service (External)
|
|
# =============================================================================
|
|
SMS_API_URL="https://sms-api.example.com"
|
|
SMS_API_KEY="your-sms-api-key"
|
|
|
|
# =============================================================================
|
|
# Wallet Encryption
|
|
# =============================================================================
|
|
# SECURITY: Generate with: openssl rand -base64 32
|
|
WALLET_ENCRYPTION_SALT="rwa-wallet-salt-change-in-production"
|
|
|
|
# =============================================================================
|
|
# MPC Service Configuration
|
|
# =============================================================================
|
|
# Flow: identity-service → mpc-service (NestJS) → mpc-system (Go/TSS)
|
|
#
|
|
# Docker Compose: http://mpc-service:3006
|
|
# Direct access: http://192.168.1.111:3006
|
|
MPC_SERVICE_URL="http://192.168.1.111:3006"
|
|
|
|
# MPC Mode:
|
|
# - local: Mock mode for testing (generates random addresses)
|
|
# - remote: Production mode (calls mpc-service for real MPC keygen)
|
|
MPC_MODE="remote"
|
|
|
|
# Use Kafka event-driven communication for MPC operations
|
|
# Recommended: true for production (async, more reliable)
|
|
MPC_USE_EVENT_DRIVEN="true"
|
|
|
|
# =============================================================================
|
|
# Backup Service Configuration
|
|
# =============================================================================
|
|
# SECURITY: For production, deploy backup-service on a DIFFERENT server!
|
|
# This ensures no single point of failure for encrypted key shares.
|
|
#
|
|
# Docker Compose: http://backup-service:3002
|
|
# Direct access: http://192.168.1.111:3002 (or different server IP)
|
|
BACKUP_SERVICE_URL="http://192.168.1.111:3002"
|
|
BACKUP_SERVICE_ENABLED="true"
|
|
|
|
# Service-to-service authentication secret
|
|
# MUST match SERVICE_JWT_SECRET in backup-service
|
|
# SECURITY: Generate with: openssl rand -base64 32
|
|
SERVICE_JWT_SECRET="your-service-jwt-secret-change-in-production"
|
|
|
|
# =============================================================================
|
|
# Blockchain RPC URLs (for address verification, external endpoints)
|
|
# =============================================================================
|
|
KAVA_RPC_URL="https://evm.kava.io"
|
|
BSC_RPC_URL="https://bsc-dataseed.binance.org"
|
|
|
|
# =============================================================================
|
|
# MinIO Object Storage Configuration (Server A: 192.168.1.100)
|
|
# =============================================================================
|
|
# MinIO S3 API endpoint
|
|
# - LAN access: 192.168.1.100:9000
|
|
# - Domain: minio.szaiai.com (for external access)
|
|
MINIO_ENDPOINT="192.168.1.100"
|
|
MINIO_PORT=9000
|
|
MINIO_USE_SSL=false
|
|
|
|
# MinIO credentials (must match minio server config)
|
|
MINIO_ACCESS_KEY="admin"
|
|
MINIO_SECRET_KEY="minio_secret_password"
|
|
|
|
# Bucket for user avatars
|
|
MINIO_BUCKET_AVATARS="avatars"
|
|
|
|
# Public URL for accessing files (CDN with caching)
|
|
# Users access files via CDN: https://cdn.szaiai.com/avatars/{userId}/{uuid}.jpg
|
|
MINIO_PUBLIC_URL="https://cdn.szaiai.com"
|