11# Settla local development environment
22# Copy to .env: cp .env.example .env
3+ #
4+ # PRODUCTION SECURITY NOTICE:
5+ # Variables marked with "# CHANGE IN PRODUCTION" MUST be replaced with strong
6+ # random values before any production or staging deployment.
7+ # In Kubernetes, secrets are injected via External Secrets Operator (ESO) from
8+ # AWS Secrets Manager — see deploy/k8s/base/secrets/ for the ExternalSecret
9+ # definitions. Never commit real secrets to version control.
310
411# ── PostgreSQL ───────────────────────────────────────────────────
12+ # CHANGE IN PRODUCTION — set via settla/production/db in AWS Secrets Manager.
13+ # K8s: injected from settla-db-credentials ExternalSecret (secretKeyRef: app-password).
514POSTGRES_USER = settla
6- POSTGRES_PASSWORD = settla
15+ POSTGRES_PASSWORD = settla # CHANGE IN PRODUCTION
16+ # RLS application role password (used by init-rls-role.sh in Docker).
17+ # CHANGE IN PRODUCTION — set via settla/production/db in AWS Secrets Manager.
18+ SETTLA_APP_DB_PASSWORD = settla_app # CHANGE IN PRODUCTION
719
820# DB URLs point to PgBouncer (pooled), NOT raw Postgres.
921# Raw Postgres ports (5433/5434/5435) are for migrations and admin only.
@@ -16,18 +28,29 @@ SETTLA_LEDGER_DB_MIGRATE_URL=postgres://settla:settla@localhost:5433/settla_ledg
1628SETTLA_TRANSFER_DB_MIGRATE_URL = postgres://settla:settla@localhost:5434/settla_transfer?sslmode=disable
1729SETTLA_TREASURY_DB_MIGRATE_URL = postgres://settla:settla@localhost:5435/settla_treasury?sslmode=disable
1830
31+ # RLS-enforced DB URLs (settla_app role, subject to Row-Level Security).
32+ # Used by settla-server for tenant-scoped API operations. Optional — when unset,
33+ # all queries run as the owner role (settla) which bypasses RLS.
34+ # CHANGE IN PRODUCTION — set via settla/production/db in AWS Secrets Manager.
35+ SETTLA_TRANSFER_APP_DB_URL = postgres://settla_app:settla_app@localhost:6434/settla_transfer?sslmode=disable
36+ SETTLA_LEDGER_APP_DB_URL = postgres://settla_app:settla_app@localhost:6433/settla_ledger?sslmode=disable
37+ SETTLA_TREASURY_APP_DB_URL = postgres://settla_app:settla_app@localhost:6435/settla_treasury?sslmode=disable
38+
1939# ── TigerBeetle ─────────────────────────────────────────────────
2040# Ledger write authority (1M+ TPS). Source of truth for balances.
2141SETTLA_TIGERBEETLE_ADDRESSES = localhost:3001
2242
2343# ── Redis ────────────────────────────────────────────────────────
24- SETTLA_REDIS_URL = redis://localhost:6379
44+ # CHANGE IN PRODUCTION — set via settla/production/app in AWS Secrets Manager.
45+ REDIS_PASSWORD = settla-dev # CHANGE IN PRODUCTION
46+ SETTLA_REDIS_URL = redis://:settla-dev@localhost:6380
2547
2648# ── NATS ─────────────────────────────────────────────────────────
2749SETTLA_NATS_URL = nats://localhost:4222
2850
2951# ── Settla Server (Go) ──────────────────────────────────────────
30- SETTLA_SERVER_HTTP_PORT = 8080
52+ # Tyk now owns external port 8080; settla-server HTTP exposed on 8081 for direct access
53+ SETTLA_SERVER_HTTP_PORT = 8081
3154SETTLA_SERVER_GRPC_PORT = 9090
3255SETTLA_PPROF_PORT = 6060
3356SETTLA_PPROF = true
@@ -37,13 +60,32 @@ SETTLA_PPROF=true
3760SETTLA_TREASURY_FLUSH_INTERVAL_MS = 100
3861# Ledger: write-ahead batch window before flushing to TigerBeetle (ms)
3962SETTLA_LEDGER_BATCH_WINDOW_MS = 10
63+ # Ledger: maximum entries per write-ahead batch (increase for higher throughput)
64+ SETTLA_LEDGER_BATCH_MAX_SIZE = 500
4065
4166# ── Settla Node (NATS Workers) ──────────────────────────────────
4267# Total partitions for event stream (must match across all nodes)
4368SETTLA_NODE_PARTITIONS = 8
4469# Which partition this instance handles (omit in dev = handle all)
4570# SETTLA_NODE_PARTITION_ID=0
4671
72+ # ── Outbox Relay Tuning ─────────────────────────────────────────
73+ # Batch size: entries fetched per poll cycle (higher = better throughput at peak)
74+ SETTLA_RELAY_BATCH_SIZE = 200
75+ # Poll interval in milliseconds (lower = lower latency, higher CPU)
76+ SETTLA_RELAY_POLL_INTERVAL_MS = 30
77+
78+ # ── Worker Pool Sizes ───────────────────────────────────────────
79+ # Max concurrent handlers per worker type. Tuned for 5K TPS peak.
80+ # At 8 partitions, transfer workers handle ~625 events/sec per partition.
81+ SETTLA_WORKER_POOL_TRANSFER = 8
82+ SETTLA_WORKER_POOL_PROVIDER = 16
83+ SETTLA_WORKER_POOL_BLOCKCHAIN = 16
84+ SETTLA_WORKER_POOL_LEDGER = 8
85+ SETTLA_WORKER_POOL_TREASURY = 8
86+ SETTLA_WORKER_POOL_WEBHOOK = 32
87+ SETTLA_WORKER_POOL_INBOUND_WH = 8
88+
4789# ── Settla Gateway (TypeScript) ─────────────────────────────────
4890SETTLA_GATEWAY_PORT = 3000
4991# Number of persistent gRPC connections to settla-server
@@ -77,6 +119,78 @@ SETTLA_ETHEREUM_RPC_URL=https://rpc.sepolia.org
77119SETTLA_BASE_RPC_URL = https://sepolia.base.org
78120SETTLA_SOLANA_RPC_URL = https://api.devnet.solana.com
79121
122+ # ── Ops Dashboard Auth ────────────────────────────────────────────
123+ # API key for the internal ops routes (/v1/ops/*). Must be set to a strong
124+ # random value in production. Requests without this key receive HTTP 403.
125+ # CHANGE IN PRODUCTION — generate: openssl rand -hex 32
126+ SETTLA_OPS_API_KEY = settla-ops-secret-change-me # CHANGE IN PRODUCTION
127+
128+ # ── Tyk API Gateway ─────────────────────────────────────────────
129+ # Tyk handles external traffic (auth, rate limiting, circuit breaking).
130+ # CHANGE IN PRODUCTION — set via settla/production/app → tyk-secret in AWS Secrets Manager.
131+ # K8s: injected from settla-app-secrets ExternalSecret (secretKeyRef: tyk-secret).
132+ # Generate: openssl rand -hex 32
133+ TYK_SECRET = settla-tyk-secret-change-me # CHANGE IN PRODUCTION
134+ TYK_GATEWAY_PORT = 8080
135+
136+ # ── Dashboard ──────────────────────────────────────────────────────
137+ # API key for the ops dashboard. Must be set to a valid tenant API key.
138+ # In dev, use a seed tenant key. In production, use a dedicated admin key.
139+ NUXT_PUBLIC_DASHBOARD_API_KEY =
140+
141+ # ── Webhook Secrets (required in production) ──────────────────────
142+ # HMAC-SHA256 secrets for outbound webhook signatures per seed tenant.
143+ # In dev, defaults are used. In production, these MUST be set.
144+ # CHANGE IN PRODUCTION — set via settla/production/webhooks in AWS Secrets Manager.
145+ # K8s: injected from settla-webhook-secrets ExternalSecret.
146+ # Generate: openssl rand -hex 32
147+ # LEMFI_WEBHOOK_SECRET= # CHANGE IN PRODUCTION — min 32 chars random string
148+ # FINCRA_WEBHOOK_SECRET= # CHANGE IN PRODUCTION — min 32 chars random string
149+
150+ # ── Inbound Provider Webhook Signing Secrets ──────────────────────
151+ # HMAC-SHA256 secrets used to verify signatures on webhooks received FROM
152+ # payment providers. Pattern: PROVIDER_{SLUG_UPPER}_WEBHOOK_SECRET
153+ # The slug is the provider identifier in the URL path, with hyphens replaced
154+ # by underscores and uppercased.
155+ #
156+ # Examples:
157+ # PROVIDER_YELLOW_CARD_WEBHOOK_SECRET=whsec_... (slug: yellow-card)
158+ # PROVIDER_KOTANI_PAY_WEBHOOK_SECRET=whsec_... (slug: kotani-pay)
159+ # PROVIDER_SETTLA_TESTNET_WEBHOOK_SECRET=whsec_... (slug: settla-testnet)
160+ #
161+ # Behaviour:
162+ # - Secret configured + signature present -> verified with HMAC-SHA256
163+ # - Secret configured + signature missing -> warning logged, request proceeds
164+ # - Secret configured + signature invalid -> 401 returned
165+ # - No secret configured -> warning logged, request proceeds
166+ #
167+ # Optional: override the signature header name (defaults to x-webhook-signature):
168+ # PROVIDER_YELLOW_CARD_SIGNATURE_HEADER=x-yc-signature
169+
170+ # ── Observability Credentials ─────────────────────────────────────
171+ # Grafana admin password for the ops dashboard.
172+ # CHANGE IN PRODUCTION — set via settla/production/app → grafana-admin-password.
173+ # K8s: injected from settla-app-secrets ExternalSecret (secretKeyRef: grafana-admin-password).
174+ # Generate: openssl rand -hex 16
175+ GRAFANA_ADMIN_PASSWORD = settla-dev-local # CHANGE IN PRODUCTION
176+
177+ # Slack webhook URL for AlertManager notifications.
178+ # CHANGE IN PRODUCTION — set via settla/production/alertmanager → slack-webhook-url.
179+ # K8s: injected from alertmanager-secrets ExternalSecret.
180+ # Create at: https://api.slack.com/apps → Incoming Webhooks
181+ SLACK_WEBHOOK_URL = https://hooks.slack.com/services/placeholder # CHANGE IN PRODUCTION
182+
183+ # PagerDuty Events API v2 Integration Key for critical alerts.
184+ # CHANGE IN PRODUCTION — set via settla/production/alertmanager → pagerduty-service-key.
185+ # K8s: injected from alertmanager-secrets ExternalSecret.
186+ PAGERDUTY_SERVICE_KEY = placeholder # CHANGE IN PRODUCTION (leave blank for non-production)
187+
188+ # Remediation webhook auth token — used by the AlertManager remediation sidecar.
189+ # CHANGE IN PRODUCTION — set via settla/production/alertmanager → remediation-webhook-token.
190+ # K8s: injected from alertmanager-secrets ExternalSecret.
191+ # Generate: openssl rand -hex 32
192+ REMEDIATION_WEBHOOK_TOKEN = dev-token # CHANGE IN PRODUCTION
193+
80194# ── General ──────────────────────────────────────────────────────
81195SETTLA_LOG_LEVEL = debug
82196SETTLA_ENV = development
0 commit comments