-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
221 lines (197 loc) · 9.74 KB
/
.env.example
File metadata and controls
221 lines (197 loc) · 9.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
# ArxMint Configuration
# Copy to .env.local and fill in your values
# === Database ===
# REQUIRED: PostgreSQL password for Docker Compose internal Postgres (generate with: openssl rand -base64 24)
# Never use a weak password — this database holds community configs, merchant listings, and transaction history
POSTGRES_PASSWORD=changeme-use-strong-password
# PostgreSQL connection string (used by the Next.js app via Prisma)
# In Docker Compose: DATABASE_URL is set automatically from POSTGRES_PASSWORD
# For local dev or external DB, set this directly:
DATABASE_URL="postgresql://arxmint:changeme-use-strong-password@localhost:5432/arxmint"
# Optional DB safety guardrails (applied automatically when missing in DATABASE_URL)
DB_POOL_MAX=10
DB_POOL_TIMEOUT_SECONDS=10
DB_CONNECT_TIMEOUT_SECONDS=10
DB_STATEMENT_TIMEOUT_MS=15000
DB_LOCK_TIMEOUT_MS=5000
# Backup/PITR retention controls
BACKUP_RETENTION_DAYS=7
PITR_BASE_RETENTION_DAYS=7
PITR_WAL_RETENTION_DAYS=7
# Encrypted backup key — required for AES-256-GCM backup encryption
# Generate with: openssl rand -hex 32
# Store this key SEPARATELY from your backups (e.g., password manager)
# If lost, encrypted backups are permanently unrecoverable
BACKUP_ENCRYPTION_KEY=
# === Lightning Node Connect ===
# 10-word pairing phrase from your Lightning Terminal
LNC_PAIRING_PHRASE=
LNC_PASSWORD=
# Security tier for Lightning connections: watch-only | pay-only | admin
# Default: watch-only (safest — agents should never use admin)
LNC_SECURITY_TIER=watch-only
# === Remote Signer (required for pay-only tier) ===
# litd remote signer URL — keeps signing keys off the agent process
# See: https://docs.lightning.engineering/lightning-network-tools/lightning-terminal/remote-signer
REMOTE_SIGNER_URL=
# TLS cert for the remote signer (base64 encoded)
REMOTE_SIGNER_TLS_CERT=
# Macaroon for remote signer access (hex encoded)
REMOTE_SIGNER_MACAROON=
# === Fedimint ===
# Federation invite code (get from your guardian setup)
FEDIMINT_INVITE_CODE=
# Set to 'true' to attempt G-Bot federation setup (experimental, API not yet public)
# Defaults to false — skips the 5-second availability check, uses Docker Compose directly
GBOT_ENABLED=false
# === Cashu Mint ===
# URL of your Cashu mint (default: local Docker)
CASHU_MINT_URL=http://localhost:3338
# REQUIRED: Cashu mint master private key (generate with: openssl rand -hex 32)
# NEVER use the deadbeef test key in production — it is publicly known and allows ecash forgery
# echo "CASHU_PRIVATE_KEY=$(openssl rand -hex 32)" >> .env
CASHU_PRIVATE_KEY=
# Cashu mint database credentials (change in production!)
CASHU_DB_USER=cashu
CASHU_DB_PASSWORD=change-me-in-production
# Set to 'true' to skip Cashu/L402 payment verification (dev/testing only)
# WARNING: Never set this in production — it disables the paywall entirely
SKIP_PAYMENT_VERIFY=
# === L402 / Aperture ===
# Aperture proxy URL
APERTURE_URL=http://localhost:8081
# Price in sats for premium API access
L402_PRICE_SATS=100
# REQUIRED (if using Aperture): Shared secret that Aperture sets in X-Aperture-Verified
# header after verifying an L402 payment. The agent route checks this header to confirm
# Aperture validated the token. Without this, L402 tokens are rejected (use SKIP_PAYMENT_VERIFY=true in dev).
# Set the same value in your Aperture config and here. Generate: openssl rand -hex 32
APERTURE_SHARED_SECRET=
# LND REST API for server-side invoice generation (required for real L402 flow)
# Example: https://localhost:8080 (Docker LND) or your hosted LND REST URL
LND_REST_URL=
# Hex-encoded LND invoice macaroon (allows creating invoices, not spending)
# Generate: lncli bakemacaroon invoices:read invoices:write
LND_MACAROON_HEX=
# REQUIRED: HMAC-SHA256 key for L402 macaroon signing — prevents token forgery
# Generate with: openssl rand -hex 32
# NEVER leave this empty in staging or production
MACAROON_ROOT_KEY=
# === Cycle Monitor ===
# Optional: Glassnode API key for premium metrics
GLASSNODE_API_KEY=
# CoinGecko (free, no key needed for basic)
# === Community ===
# Default community name
COMMUNITY_NAME=ArxMint Local
# Mint fee percentage (0.2 = 0.2%)
MINT_FEE_PERCENT=0.2
# === Monitoring ===
# REQUIRED: Grafana admin password (set a strong random password)
# For local dev you can use a simple value; never leave empty on a networked server
GRAFANA_PASSWORD=
# === Network ===
# bitcoin | testnet | signet | regtest
BITCOIN_NETWORK=testnet
# === Silent Payments (BIP352) ===
# Feature gate for SP flows
ARXMINT_SP_ENABLED=false
# Scan mode: remote_indexer | local_indexer | fullnode_scan
ARXMINT_SP_SCAN_MODE=remote_indexer
# Indexer endpoint when using remote/local indexer mode
ARXMINT_SP_INDEXER_URL=http://localhost:3001
# Key policy: split_keys (scan/spend separated) | single_hot_wallet
ARXMINT_SP_KEY_POLICY=split_keys
# Guardrail for scan workload while K_max proposals evolve
ARXMINT_SP_MAX_OUTPUTS_PER_GROUP=255
# === Nostr ===
# Relay URLs for profile fetching (comma-separated, optional)
NEXT_PUBLIC_NOSTR_RELAYS=wss://relay.damus.io,wss://nos.lol,wss://relay.nostr.band
# === Base URL ===
# Required in production for NIP-98 tag validation (prevents cross-endpoint replay attacks)
# Must match the exact origin that clients sign their NIP-98 tokens against
NEXT_PUBLIC_BASE_URL=https://yourdomain.com
# Enable strict CSP in report-only mode during nonce/hash migration (default: true in production)
# Set to false only for emergency rollback while investigating breakage.
CSP_REPORT_ONLY=true
# === CORS ===
# Comma-separated list of allowed origins for session-bearing API routes
# Defaults to http://localhost:3000 if not set
# Agent/public routes (/api/agent, /api/l402, /api/cycle) always allow * origins
ALLOWED_ORIGINS=https://yourdomain.com
# === Marketplace Integration ===
# URL of the Teneo Marketplace (used for CORS on /api/payment/* routes)
# Payment API routes (/api/payment/create, /api/payment/verify, /api/payment/status)
# are accessible from this origin for cross-service payment integration
TENEO_MARKETPLACE_URL=https://teneo-marketplace.com
# REQUIRED for Teneo Marketplace server-to-server calls to /api/settlement.
# Teneo Marketplace sends this value in the X-Marketplace-Secret request header.
# Set the same value in both ArxMint and Teneo Marketplace deployments.
# Generate with: openssl rand -hex 32
MARKETPLACE_SHARED_SECRET=
# Optional: webhook target for invoice.state_changed events (FinForensics, internal bus, etc.)
INVOICE_EVENTS_WEBHOOK_URL=
# === LNbits (DigitalOcean Droplet) ===
# URL of the LNbits instance on the droplet.
# BEFORE hardening: http://167.71.189.144:5000 (raw port — insecure, close after setup)
# AFTER hardening: https://lnbits.arxmint.com (Caddy reverse proxy — use this in production)
# See docs/ops/droplet-security.md for hardening steps and HUMAN_TASKS.md HT-009.
LNBITS_URL=https://lnbits.arxmint.com
# LNbits invoice key for the merchant wallet (allows creating + reading invoices, not spending)
# Found in LNbits dashboard → Wallet → API Info → Invoice/read key
LNBITS_INVOICE_KEY=
# LNbits admin key (used only for wallet provisioning — keep secret, never expose to frontend)
LNBITS_ADMIN_KEY=
# === Email (Resend) ===
# REQUIRED for merchant welcome emails and invoice email delivery
# Get your API key at https://resend.com — free tier: 3,000 emails/month
# Without this, transactional emails are silently skipped (checkout is unaffected)
RESEND_API_KEY=
# === Telegram Notifications ===
# Telegram bot token from @BotFather (see HUMAN_TASKS.md HT-010)
# When set, merchants receive instant payment alerts in Telegram
# When absent, notifications are silently skipped — checkout is unaffected
TELEGRAM_BOT_TOKEN=
# === Caddy Reverse Proxy ===
# REQUIRED for production HTTPS (docker-compose caddy service)
# Caddy will obtain a TLS certificate automatically via Let's Encrypt / ZeroSSL
DOMAIN=yourdomain.com
CADDY_EMAIL=admin@yourdomain.com
# === Cron Jobs ===
# REQUIRED for production: Secret that Vercel sends as Authorization: Bearer <CRON_SECRET>
# for scheduled cron invocations. Set the same value in your Vercel dashboard.
# Generate with: openssl rand -hex 32
# Crons: /api/cron/payouts (02:00 UTC daily), /api/cron/data-retention (03:00 UTC daily)
CRON_SECRET=
# === Auth Session ===
# REQUIRED: Secret for HMAC-signed session tokens (generate with: openssl rand -hex 32)
# Used by lib/auth-middleware.ts — tokens are signed with this key
# Changing this key invalidates all existing sessions
NEXTAUTH_SECRET=
# === Pilot Value Caps (sats) ===
# Server-enforced limits to protect against bugs during the Longmont pilot phase.
# These cap wallet balance, individual transactions, and daily volume.
# Change only if your pilot parameters require different limits.
MAX_WALLET_BALANCE_SATS=50000
MAX_SINGLE_TX_SATS=10000
MAX_DAILY_VOLUME_SATS=100000
# Optional: expose caps to the wallet UI (client-side display only — server enforces the above)
NEXT_PUBLIC_MAX_SINGLE_TX_SATS=10000
NEXT_PUBLIC_MAX_DAILY_VOLUME_SATS=100000
# === Stripe Fiat On-Ramp ===
# Enables credit card payments that convert USD→sats→Cashu ecash.
# Fiat enters at the gate; from that point forward everything is Bitcoin-native.
# Sign up at https://dashboard.stripe.com
STRIPE_SECRET_KEY=
STRIPE_PUBLISHABLE_KEY=
# Webhook signing secret — from Stripe Dashboard → Webhooks → Signing secret
# Required to verify incoming Stripe webhook events
# Webhook endpoint: https://yourdomain.com/api/checkout/stripe/webhook
STRIPE_WEBHOOK_SECRET=
# === Cross-Project Auth (ArxMint ↔ Teneo Marketplace) ===
# Shared HMAC secret for verifying session tokens issued by Teneo Marketplace.
# Set this to the SAME value in both ArxMint and Teneo Marketplace deployments.
# A user logged in at the marketplace can call /api/payment/* with their Bearer JWT
# and ArxMint will recognize them via verifySharedSession().
# Generate with: openssl rand -hex 32
AUTH_SHARED_SECRET=