171 lines
7.3 KiB
Plaintext
171 lines
7.3 KiB
Plaintext
# =============================================================================
|
||
# Identity Service - Production Environment Configuration
|
||
# =============================================================================
|
||
#
|
||
# Deployment: Server B (192.168.1.111)
|
||
# Role: User account management, authentication, wallet address storage
|
||
#
|
||
# Flow: Kong → identity-service → mpc-service → blockchain-service
|
||
# ↑ ↓
|
||
# └────────────────── Kafka ←───────────────────┘
|
||
#
|
||
# Setup:
|
||
# 1. Copy to .env: cp .env.example .env
|
||
# 2. In Docker Compose mode, most values are overridden by docker-compose.yml
|
||
# 3. For local development, update values below
|
||
# =============================================================================
|
||
|
||
# =============================================================================
|
||
# Application
|
||
# =============================================================================
|
||
APP_PORT=3000
|
||
APP_ENV="production"
|
||
|
||
# =============================================================================
|
||
# Database (PostgreSQL on Server B)
|
||
# =============================================================================
|
||
# Docker Compose: postgresql://rwa_user:xxx@postgres:5432/rwa_identity
|
||
# Direct access: postgresql://rwa_user:xxx@192.168.1.111:5432/rwa_identity
|
||
DATABASE_URL="postgresql://rwa_user:your_password@192.168.1.111:5432/rwa_identity?schema=public"
|
||
|
||
# =============================================================================
|
||
# JWT Configuration
|
||
# =============================================================================
|
||
# SECURITY: Generate with: openssl rand -base64 32
|
||
# MUST match JWT_SECRET in backend/services/.env
|
||
JWT_SECRET="your-super-secret-jwt-key-change-in-production"
|
||
JWT_ACCESS_EXPIRES_IN="2h"
|
||
JWT_REFRESH_EXPIRES_IN="30d"
|
||
|
||
# =============================================================================
|
||
# Redis (on Server B)
|
||
# =============================================================================
|
||
# Docker Compose: redis / Direct: 192.168.1.111
|
||
REDIS_HOST="192.168.1.111"
|
||
REDIS_PORT=6379
|
||
REDIS_PASSWORD=""
|
||
REDIS_DB=0
|
||
|
||
# =============================================================================
|
||
# Kafka (on Server B)
|
||
# =============================================================================
|
||
# Docker Compose: kafka:29092 / Direct: 192.168.1.111:9092
|
||
KAFKA_BROKERS="192.168.1.111:9092"
|
||
KAFKA_CLIENT_ID="identity-service"
|
||
KAFKA_GROUP_ID="identity-service-group"
|
||
|
||
# =============================================================================
|
||
# SMS Service - Aliyun (阿里云短信服务)
|
||
# =============================================================================
|
||
# 阿里云 AccessKey (建议使用 RAM 子账号)
|
||
# 创建地址: https://ram.console.aliyun.com/manage/ak
|
||
ALIYUN_ACCESS_KEY_ID="your-aliyun-access-key-id"
|
||
ALIYUN_ACCESS_KEY_SECRET="your-aliyun-access-key-secret"
|
||
|
||
# 短信签名 (需在阿里云短信控制台申请)
|
||
# 例如: "榴莲皇后"
|
||
ALIYUN_SMS_SIGN_NAME="榴莲皇后"
|
||
|
||
# 短信模板代码 (需在阿里云短信控制台申请)
|
||
# 验证码模板示例: SMS_123456789
|
||
# 模板内容: 您的验证码是${code},5分钟内有效。
|
||
ALIYUN_SMS_TEMPLATE_CODE="SMS_123456789"
|
||
|
||
# 阿里云短信 API 端点 (默认无需修改)
|
||
ALIYUN_SMS_ENDPOINT="dysmsapi.aliyuncs.com"
|
||
|
||
# 是否启用真实短信发送 (开发环境建议设为 false)
|
||
# false: 模拟模式,验证码打印到日志
|
||
# true: 真实发送短信
|
||
SMS_ENABLED="false"
|
||
|
||
# =============================================================================
|
||
# KYC Service - Aliyun 实人认证 (阿里云金融级实人认证)
|
||
# =============================================================================
|
||
# 产品文档: https://help.aliyun.com/product/60032.html
|
||
# 控制台: https://yundun.console.aliyun.com/?p=cloudauth
|
||
#
|
||
# 支持三层认证:
|
||
# - 层级1: 实名认证 (二要素验证: 姓名+身份证号)
|
||
# - 层级2: 实人认证 (人脸活体检测)
|
||
# - 层级3: KYC (证件照OCR识别验证)
|
||
|
||
# 是否启用阿里云 KYC 服务 (开发环境建议设为 false)
|
||
# false: 模拟模式,只验证身份证格式和校验码
|
||
# true: 真实调用阿里云实人认证 API
|
||
ALIYUN_KYC_ENABLED="false"
|
||
|
||
# 阿里云实人认证 API 端点 (默认无需修改)
|
||
ALIYUN_KYC_ENDPOINT="cloudauth.aliyuncs.com"
|
||
|
||
# 阿里云实人认证场景 ID (人脸活体检测需要)
|
||
# 在阿里云实人认证控制台创建场景后获取
|
||
ALIYUN_KYC_SCENE_ID=""
|
||
|
||
# =============================================================================
|
||
# Wallet Encryption
|
||
# =============================================================================
|
||
# SECURITY: Generate with: openssl rand -base64 32
|
||
WALLET_ENCRYPTION_SALT="rwa-wallet-salt-change-in-production"
|
||
|
||
# =============================================================================
|
||
# MPC Service Configuration
|
||
# =============================================================================
|
||
# Flow: identity-service → mpc-service (NestJS) → mpc-system (Go/TSS)
|
||
#
|
||
# Docker Compose: http://mpc-service:3006
|
||
# Direct access: http://192.168.1.111:3006
|
||
MPC_SERVICE_URL="http://192.168.1.111:3006"
|
||
|
||
# MPC Mode:
|
||
# - local: Mock mode for testing (generates random addresses)
|
||
# - remote: Production mode (calls mpc-service for real MPC keygen)
|
||
MPC_MODE="remote"
|
||
|
||
# Use Kafka event-driven communication for MPC operations
|
||
# Recommended: true for production (async, more reliable)
|
||
MPC_USE_EVENT_DRIVEN="true"
|
||
|
||
# =============================================================================
|
||
# Backup Service Configuration
|
||
# =============================================================================
|
||
# SECURITY: For production, deploy backup-service on a DIFFERENT server!
|
||
# This ensures no single point of failure for encrypted key shares.
|
||
#
|
||
# Docker Compose: http://backup-service:3002
|
||
# Direct access: http://192.168.1.111:3002 (or different server IP)
|
||
BACKUP_SERVICE_URL="http://192.168.1.111:3002"
|
||
BACKUP_SERVICE_ENABLED="true"
|
||
|
||
# Service-to-service authentication secret
|
||
# MUST match SERVICE_JWT_SECRET in backup-service
|
||
# SECURITY: Generate with: openssl rand -base64 32
|
||
SERVICE_JWT_SECRET="your-service-jwt-secret-change-in-production"
|
||
|
||
# =============================================================================
|
||
# Blockchain RPC URLs (for address verification, external endpoints)
|
||
# =============================================================================
|
||
KAVA_RPC_URL="https://evm.kava.io"
|
||
BSC_RPC_URL="https://bsc-dataseed.binance.org"
|
||
|
||
# =============================================================================
|
||
# MinIO Object Storage Configuration (Server A: 192.168.1.100)
|
||
# =============================================================================
|
||
# MinIO S3 API endpoint
|
||
# - LAN access: 192.168.1.100:9000
|
||
# - Domain: minio.szaiai.com (for external access)
|
||
MINIO_ENDPOINT="192.168.1.100"
|
||
MINIO_PORT=9000
|
||
MINIO_USE_SSL=false
|
||
|
||
# MinIO credentials (must match minio server config)
|
||
MINIO_ACCESS_KEY="admin"
|
||
MINIO_SECRET_KEY="change_me_to_secure_password"
|
||
|
||
# Bucket for user avatars
|
||
MINIO_BUCKET_AVATARS="avatars"
|
||
|
||
# Public URL for accessing files
|
||
# Users access files via: https://minio.szaiai.com/avatars/{userId}/{uuid}.jpg
|
||
MINIO_PUBLIC_URL="https://minio.szaiai.com"
|