rwadurian/backend/services/identity-service/.env.example

# =============================================================================
# Identity Service - Production Environment Configuration
# =============================================================================
#
# Deployment: Server B (192.168.1.111)
# Role: User account management, authentication, wallet address storage
#
# Flow: Kong → identity-service → mpc-service → blockchain-service
#       ↑                                              ↓
#       └────────────────── Kafka ←───────────────────┘
#
# Setup:
#   1. Copy to .env: cp .env.example .env
#   2. In Docker Compose mode, most values are overridden by docker-compose.yml
#   3. For local development, update values below
# =============================================================================

# =============================================================================
# Application
# =============================================================================
APP_PORT=3000
APP_ENV="production"

# =============================================================================
# Database (PostgreSQL on Server B)
# =============================================================================
# Docker Compose: postgresql://rwa_user:xxx@postgres:5432/rwa_identity
# Direct access:  postgresql://rwa_user:xxx@192.168.1.111:5432/rwa_identity
DATABASE_URL="postgresql://rwa_user:your_password@192.168.1.111:5432/rwa_identity?schema=public"

# =============================================================================
# JWT Configuration
# =============================================================================
# SECURITY: Generate with: openssl rand -base64 32
# MUST match JWT_SECRET in backend/services/.env
JWT_SECRET="your-super-secret-jwt-key-change-in-production"
JWT_ACCESS_EXPIRES_IN="2h"
JWT_REFRESH_EXPIRES_IN="30d"

# =============================================================================
# Redis (on Server B)
# =============================================================================
# Docker Compose: redis / Direct: 192.168.1.111
REDIS_HOST="192.168.1.111"
REDIS_PORT=6379
REDIS_PASSWORD=""
REDIS_DB=0

# =============================================================================
# Kafka (on Server B)
# =============================================================================
# Docker Compose: kafka:29092 / Direct: 192.168.1.111:9092
KAFKA_BROKERS="192.168.1.111:9092"
KAFKA_CLIENT_ID="identity-service"
KAFKA_GROUP_ID="identity-service-group"

# =============================================================================
# SMS Service - Aliyun (阿里云短信服务)
# =============================================================================
# 阿里云 AccessKey (建议使用 RAM 子账号)
# 创建地址: https://ram.console.aliyun.com/manage/ak
ALIYUN_ACCESS_KEY_ID="your-aliyun-access-key-id"
ALIYUN_ACCESS_KEY_SECRET="your-aliyun-access-key-secret"

# 短信签名 (需在阿里云短信控制台申请)
# 例如: "榴莲皇后"
ALIYUN_SMS_SIGN_NAME="榴莲皇后"

# 短信模板代码 (需在阿里云短信控制台申请)
# 验证码模板示例: SMS_123456789
# 模板内容: 您的验证码是${code}，5分钟内有效。
ALIYUN_SMS_TEMPLATE_CODE="SMS_123456789"

# 阿里云短信 API 端点 (默认无需修改)
ALIYUN_SMS_ENDPOINT="dysmsapi.aliyuncs.com"

# 是否启用真实短信发送 (开发环境建议设为 false)
# false: 模拟模式，验证码打印到日志
# true: 真实发送短信
SMS_ENABLED="false"

# =============================================================================
# Wallet Encryption
# =============================================================================
# SECURITY: Generate with: openssl rand -base64 32
WALLET_ENCRYPTION_SALT="rwa-wallet-salt-change-in-production"

# =============================================================================
# MPC Service Configuration
# =============================================================================
# Flow: identity-service → mpc-service (NestJS) → mpc-system (Go/TSS)
#
# Docker Compose: http://mpc-service:3006
# Direct access:  http://192.168.1.111:3006
MPC_SERVICE_URL="http://192.168.1.111:3006"

# MPC Mode:
#   - local:  Mock mode for testing (generates random addresses)
#   - remote: Production mode (calls mpc-service for real MPC keygen)
MPC_MODE="remote"

# Use Kafka event-driven communication for MPC operations
# Recommended: true for production (async, more reliable)
MPC_USE_EVENT_DRIVEN="true"

# =============================================================================
# Backup Service Configuration
# =============================================================================
# SECURITY: For production, deploy backup-service on a DIFFERENT server!
# This ensures no single point of failure for encrypted key shares.
#
# Docker Compose: http://backup-service:3002
# Direct access:  http://192.168.1.111:3002 (or different server IP)
BACKUP_SERVICE_URL="http://192.168.1.111:3002"
BACKUP_SERVICE_ENABLED="true"

# Service-to-service authentication secret
# MUST match SERVICE_JWT_SECRET in backup-service
# SECURITY: Generate with: openssl rand -base64 32
SERVICE_JWT_SECRET="your-service-jwt-secret-change-in-production"

# =============================================================================
# Blockchain RPC URLs (for address verification, external endpoints)
# =============================================================================
KAVA_RPC_URL="https://evm.kava.io"
BSC_RPC_URL="https://bsc-dataseed.binance.org"

# =============================================================================
# MinIO Object Storage Configuration (Server A: 192.168.1.100)
# =============================================================================
# MinIO S3 API endpoint
# - LAN access: 192.168.1.100:9000
# - Domain: minio.szaiai.com (for external access)
MINIO_ENDPOINT="192.168.1.100"
MINIO_PORT=9000
MINIO_USE_SSL=false

# MinIO credentials (must match minio server config)
MINIO_ACCESS_KEY="admin"
MINIO_SECRET_KEY="change_me_to_secure_password"

# Bucket for user avatars
MINIO_BUCKET_AVATARS="avatars"

# Public URL for accessing files
# Users access files via: https://minio.szaiai.com/avatars/{userId}/{uuid}.jpg
MINIO_PUBLIC_URL="https://minio.szaiai.com"