3fdf4a230c
Multi-stage non-root Dockerfile (builds -p gp-server against the nip44/nym siblings; excludes the goblin-tree dev crate), a full docker-compose (server + bundled nostr-rs-relay + auto-HTTPS Caddy), a hardened systemd unit (DynamicUser, ProtectSystem=strict, NoNewPrivileges, seed via LoadCredential), an install.sh bare-metal bootstrap, .env.example, and an fmt+clippy+test CI workflow for Gitea and GitHub.
40 lines
1.7 KiB
Bash
40 lines
1.7 KiB
Bash
# GoblinPay environment. Copy to /etc/goblinpay.env (bare metal) or deploy/.env
|
|
# (docker compose), then edit. NON-SECRET config only: the Grin seed and the
|
|
# wallet password live as mode-0400 files (systemd LoadCredential / the compose
|
|
# ./secrets mount), never in this file.
|
|
|
|
# --- domain / URLs ---
|
|
# docker-compose serves GoblinPay on GP_DOMAIN and the bundled relay on
|
|
# relay.<GP_DOMAIN>; point BOTH DNS records at this host before `compose up`.
|
|
GP_DOMAIN=pay.example
|
|
GP_PUBLIC_URL=https://pay.example
|
|
|
|
# --- relay (bundled is the default: GoblinPay runs its own relay) ---
|
|
GP_RELAY_MODE=bundled
|
|
# The bundled relay's PUBLIC url: it is BOTH dialed by the server AND advertised
|
|
# to payers in the checkout nprofile, so it must be reachable from the internet.
|
|
GP_BUNDLED_RELAY_URL=wss://relay.pay.example
|
|
# For GP_RELAY_MODE=external instead, drop the bundled relay and set:
|
|
#GP_RELAY_MODE=external
|
|
#GP_RELAYS=wss://relay.damus.io,wss://nos.lol
|
|
|
|
# --- Grin node (read-only: confirmations + balance) ---
|
|
GP_NODE_URL=https://main.gri.mw
|
|
|
|
# --- mixnet ---
|
|
# on (default) routes THIS server's relay traffic over the Nym mixnet. off is a
|
|
# supported production posture (server-side clearnet): the payer's Goblin Wallet
|
|
# still provides sender privacy and the payload stays gift-wrapped end to end.
|
|
GP_NYM=on
|
|
|
|
# --- API / admin tokens (bearer capabilities; use strong random values) ---
|
|
GP_API_TOKEN=change-me-api-token
|
|
GP_ADMIN_TOKEN=change-me-admin-token
|
|
|
|
# --- webhook to your store (optional; the URL requires the secret) ---
|
|
#GP_WEBHOOK_URL=https://your-store/hook
|
|
#GP_WEBHOOK_SECRET=change-me-webhook-secret
|
|
|
|
# --- default payment-matching mode: memo | derived | amount ---
|
|
GP_MATCH_MODE=derived
|