soroushdes/flatrender
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ec51e87d2dd9d4ec2589c1393fe7cad75724218b
flatrender/deploy/ENV_FILE.production.example
T
soroush.asadi ec51e87d2d feat(payment): standalone ZarinPal broker on pay.flatrender.ir 
A generic multi-client payment gateway so FlatRender, meezi.ir and
bargevasat.ir can all pay through ZarinPal's single verified callback
domain (pay.flatrender.ir).

New Go service services/payment (clones the notification skeleton +
vendored deps):
- migration 31_payment_broker.sql — `payment` schema: client_apps,
  transactions, webhook_deliveries.
- ZarinPal v4 client ported from the proven identity PaymentService
  (request.json -> StartPay -> verify.json; codes 100/101).
- client API: POST /v1/pay/request + /v1/pay/inquiry, authed by
  X-Api-Key + HMAC body signature; GET /callback/zarinpal (the single
  verified endpoint) verifies, then 302s the user back to the site's
  return_url (signed) and fires a signed, retried webhook.
- per-client ZarinPal merchant override (default = shared merchant);
  amount stored canonically in Rial, unit to ZarinPal env-configurable.
- admin API /v1/admin/* (FlatRender admin JWT): client-app CRUD +
  key issue/rotate + transactions list.

Deploy wiring: payment-svc in docker-compose.v2.yml (host port 1607),
pay.flatrender.ir server block in mirror-nginx conf, ENV_FILE +
README updates (cert SAN + manual migration note).

Admin UI: src/components/admin/PaymentsAdmin.tsx (client apps with
one-time key reveal + rotate, transactions table) + /admin/payments
page + nav link + fa/en strings; pay-admin proxy route to payment-svc.

Docs/SDK: deploy/PAYMENTS.md (integration contract) + deploy/sdk/flatpay.js
(zero-dep Node client + webhook verifier) for meezi/any site.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-15 23:59:54 +03:30

86 lines
4.8 KiB
Plaintext
Raw Blame History

# ─────────────────────────────────────────────────────────────────────────────
# FlatRender — PRODUCTION ENV_FILE template (server: 171.22.25.73, behind mirror-nginx)
#
# This is the content of the Gitea repo secret ENV_FILE.
# https://git.soroushasadi.com/soroushdes/flatrender/settings/secrets
# The deploy job writes this verbatim to `.env`, which docker compose reads.
#
# TLS + domain routing is handled by the existing central mirror-nginx (it owns
# 80/443). FlatRender does NOT run Caddy here — it publishes host ports and
# mirror-nginx reverse-proxies the domains to them (see deploy/README.md).
#
# Fill every <PLACEHOLDER>. Generate secrets with: openssl rand -hex 32
# Changing a NEXT_PUBLIC_* value requires a redeploy (baked into the frontend build).
# ─────────────────────────────────────────────────────────────────────────────
# ── Host-port binding ────────────────────────────────────────────────────────
# Internal services (postgres, render) stay on loopback. The three nginx-facing
# services publish on all interfaces so mirror-nginx can reach 171.22.25.73:PORT.
HOST_BIND=127.0.0.1
EDGE_BIND=0.0.0.0
# nginx-facing host ports (must be free on 171.22.25.73 — :3000 is Gitea, avoid it).
FRONTEND_PORT=1600
GATEWAY_PORT=1605
PAY_PORT=1607
MINIO_PORT=1610
MINIO_CONSOLE_PORT=1611
# ── Browser-facing URLs (served by mirror-nginx over HTTPS; baked into frontend) ─
NEXT_PUBLIC_SITE_URL=https://flatrender.ir
NEXT_PUBLIC_API_URL=https://api.flatrender.ir/v1
NEXT_PUBLIC_MINIO_URL=https://storage.flatrender.ir
NEXT_PUBLIC_TENANT_SLUG=flatrender
CORS_ORIGIN=https://flatrender.ir
# ── Core secrets ─────────────────────────────────────────────────────────────
JWT_SECRET=<openssl rand -hex 32>
SERVICE_TOKEN=<openssl rand -hex 32>
NODE_HMAC_SECRET=<openssl rand -hex 32>
JWT_ACCESS_MINUTES=1440
# ── Postgres ─────────────────────────────────────────────────────────────────
POSTGRES_USER=flatrender
POSTGRES_PASSWORD=<openssl rand -hex 24>
# ── MinIO (object storage) ───────────────────────────────────────────────────
MINIO_ACCESS_KEY=<openssl rand -hex 12>
MINIO_SECRET_KEY=<openssl rand -hex 24>
MINIO_BUCKET=flatrender-exports
MINIO_TEMPLATES_BUCKET=flatrender-templates
MINIO_UPLOAD_BUCKET=user-uploads
# render-svc signs presigned URLs for the public storage domain (HTTPS via nginx):
MINIO_HOST_ENDPOINT=storage.flatrender.ir
MINIO_HOST_USE_SSL=true
# ── Render farm ──────────────────────────────────────────────────────────────
# No AE node on the server → keep the dev worker OFF (it would mock-complete jobs).
# Disable rendering in Admin → فارم رندر → موتور رندر so users see an "unavailable" notice.
RENDER_DEV_WORKER=false
RENDER_DEV_SNAPSHOTS=false
# ── Payment broker (pay.flatrender.ir) ───────────────────────────────────────
# Standalone ZarinPal gateway shared by FlatRender + meezi.ir + bargevasat.ir.
# ZARINPAL_MERCHANT_ID below is the SHARED merchant (verified domain = pay.flatrender.ir).
PAY_PUBLIC_URL=https://pay.flatrender.ir
# Unit ZarinPal expects in `amount`: "rial" (official v4) or "toman".
# ⚠️ Your identity service historically sends Toman — confirm with one sandbox
# payment which unit YOUR merchant settles in, then set this to match.
ZARINPAL_AMOUNT_UNIT=rial
# ── Payments (fill the providers you use; leave others blank) ────────────────
STRIPE_SECRET_KEY=
STRIPE_WEBHOOK_SECRET=
STRIPE_PUBLISHABLE_KEY=
# Shared ZarinPal merchant — used by BOTH the identity service and the pay broker.
ZARINPAL_MERCHANT_ID=
ZARINPAL_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/zarinpal
ZARINPAL_SANDBOX=false
SNAPPAY_CLIENT_ID=
SNAPPAY_CLIENT_SECRET=
SNAPPAY_BASE_URL=https://api.snappay.ir
SNAPPAY_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/snappay
TARA_API_KEY=
TARA_BASE_URL=https://api.tara.ir
TARA_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/tara
Reference in New Issue View Git Blame Copy Permalink