NixOS first integration

.env.example

@@ -9,14 +9,18 @@
 SERVER_NAME=localhost
 HTTPS_PORT=443
 HTTP_PORT=80
+# Optional JWT issuer override expected by OpenResty (must match token iss exactly).
+# Leave empty to auto-build as https://<SERVER_NAME>[:<HTTPS_PORT>]/auth.
+# If set to an external Full issuer (Lite mode), the gateway auto-syncs the JWT public key
+# from https://<issuer-origin>/.well-known/public-key.pem.
+# Lite mode also disables local auth/treasury/intents endpoints in this gateway instance.
+ISSUER=
 
 # OpenResty bind address (127.0.0.1 for local-only, 0.0.0.0 for public)
 OPENRESTY_BIND_ADDRESS=127.0.0.1
 # OpenResty bind ports (local ports on the host)
 OPENRESTY_BIND_HTTPS_PORT=443
 OPENRESTY_BIND_HTTP_PORT=80
-# Deployment mode (informational)
-DEPLOY_MODE=direct
 
 # Host UID/GID for bind mounts (Linux/macOS)
 # setup.sh will auto-fill these values.
@@ -31,6 +35,8 @@ MYSQL_ROOT_PASSWORD=CHANGE_ME
 MYSQL_DATABASE=guacamole_db
 MYSQL_USER=guacamole_user
 MYSQL_PASSWORD=CHANGE_ME
+# Optional override for blockchain-services schema
+BLOCKCHAIN_MYSQL_DATABASE=blockchain_services
 
 # =============================================================================
 # GUACAMOLE CONFIGURATION
@@ -55,55 +61,29 @@ CERTBOT_EMAIL=
 # =============================================================================
 
 # This configuration is optional - to expose the gateway without public IP
-# Set ENABLE_CLOUDFLARE=true to start the cloudflared sidecar (docker compose --profile cloudflare up -d)
+# Start the sidecar with compose profile: --profile cloudflare or --profile cloudflare-token
 # If you have a token from a Cloudflare tunnel, paste it below. If empty, a Quick Tunnel will be used.
-ENABLE_CLOUDFLARE=false
 CLOUDFLARE_TUNNEL_TOKEN=
 
 # =============================================================================
 # SECRETS AND KEYS
 # =============================================================================
 
-# OPS worker
-# Set to empty to disable /ops endpoints.
-OPS_SECRET=CHANGE_ME
-# Lab Manager access token (separate from SECURITY_ACCESS_TOKEN).
+# Lab Manager access token (used by /lab-manager and /ops).
+# Set to empty to disable /ops endpoints (and keep /lab-manager private-network-only).
 LAB_MANAGER_TOKEN=CHANGE_ME
 LAB_MANAGER_TOKEN_HEADER=X-Lab-Manager-Token
 LAB_MANAGER_TOKEN_COOKIE=lab_manager_token
 
-# =============================================================================
-# BLOCKCHAIN RPC CONFIGURATION
-# =============================================================================
-
-# Sepolia RPC endpoints (comma-separated). Keep these updated or use a paid provider.
-ETHEREUM_SEPOLIA_RPC_URL=https://ethereum-sepolia-rpc.publicnode.com,https://0xrpc.io/sep,https://ethereum-sepolia-public.nodies.app
-
-# =============================================================================
-# BLOCKCHAIN-SERVICES REMOTE ACCESS
-# =============================================================================
-
-# Access token for /wallet, /treasury, /wallet-dashboard (sent by OpenResty).
-SECURITY_ACCESS_TOKEN=CHANGE_ME
-SECURITY_ACCESS_TOKEN_HEADER=X-Access-Token
-SECURITY_ACCESS_TOKEN_COOKIE=access_token
-SECURITY_ACCESS_TOKEN_REQUIRED=true
+# Wallet/Treasury access token
+# Used by /wallet, /treasury, /wallet-dashboard and /treasury/admin/** (sent by OpenResty).
+TREASURY_TOKEN=CHANGE_ME
+TREASURY_TOKEN_HEADER=X-Access-Token
+TREASURY_TOKEN_COOKIE=access_token
+TREASURY_TOKEN_REQUIRED=true
 SECURITY_ALLOW_PRIVATE_NETWORKS=true
 ADMIN_DASHBOARD_ALLOW_PRIVATE=true
 
-# =============================================================================
-# BLOCKCHAIN-SERVICES FEATURES
-# =============================================================================
-
-# Enable provider registration endpoints.
-FEATURES_PROVIDERS_REGISTRATION_ENABLED=true
-
-# Treasury admin EIP-712 signature domain (optional overrides)
-TREASURY_ADMIN_DOMAIN_NAME=DecentraLabsTreasuryAdmin
-TREASURY_ADMIN_DOMAIN_VERSION=1
-TREASURY_ADMIN_DOMAIN_CHAIN_ID=11155111
-TREASURY_ADMIN_DOMAIN_VERIFYING_CONTRACT=
-
 # =============================================================================
 # CORS CONFIGURATION (OpenResty)
 # =============================================================================
@@ -113,6 +93,6 @@ TREASURY_ADMIN_DOMAIN_VERIFYING_CONTRACT=
 # Leave empty to use MARKETPLACE_URL as the only allowed origin (recommended).
 CORS_ALLOWED_ORIGINS=
 
-# Blockchain-services wallet/treasury CORS allowlist.
-# Must include the gateway origin to allow /wallet and /treasury from the browser.
-WALLET_ALLOWED_ORIGINS=
+# Blockchain-specific settings (CONTRACT_ADDRESS, ETHEREUM_*_RPC_URL,
+# WALLET_ALLOWED_ORIGINS, ALLOWED_ORIGINS, MARKETPLACE_PUBLIC_KEY_URL, etc.)
+# belong in blockchain-services/.env.

.github/workflows/nix-integration.yml

@@ -0,0 +1,43 @@
+name: Nix And Integration
+
+on:
+  push:
+    branches: ["main", "NixOS", "full", "lite"]
+  pull_request:
+    branches: ["main", "full", "lite"]
+
+permissions:
+  contents: read
+
+jobs:
+  nix-flake-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v19
+
+      - name: Show flake outputs
+        run: nix flake show --all-systems
+
+      - name: Evaluate NixOS configuration
+        run: |
+          nix eval .#nixosConfigurations.gateway.config.system.build.toplevel.drvPath
+
+  integration-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Run integration suite
+        run: |
+          chmod +x tests/integration/run-integration.sh
+          chmod +x tests/integration/certs/generate-certs.sh
+          tests/integration/run-integration.sh

.gitignore

@@ -57,12 +57,7 @@ Thumbs.db
 
 # Development notes and planning (keep local only)
 dev/
-docs-lab-station/
 ops-worker/hosts.json
 
-# Dev scripts and tools
-update-blockchain-services.sh
-update-blockchain-services.bat
-
 # Smart contracts
 contracts/

LOGGING.md

@@ -1,142 +1,68 @@
-# Logging Configuration
+# Logging Guide
 
-## 📋 Log Configuration Summary
+This project uses Docker `json-file` logging with per-service rotation in `docker-compose.yml`.
 
-| Service       | Max Size | Max Files | Total Storage | Description                     |
-| ------------- | -------- | --------- | ------------- | ------------------------------- |
-| **MySQL**     | 10MB     | 3         | \~30MB        | Database logs and queries       |
-| **Guacd**     | 5MB      | 3         | \~15MB        | Protocol daemon logs            |
-| **Guacamole** | 20MB     | 5         | \~100MB       | Application logs (most verbose) |
-| **OpenResty** | 10MB     | 5         | \~50MB        | Access logs and proxy logs      |
+## Rotation limits
 
-**Total Maximum Log Storage**: \~195MB
+| Service | max-size | max-file | Approx max |
+| --- | --- | --- | --- |
+| `blockchain-services` | `20m` | `5` | ~100 MB |
+| `openresty` | `10m` | `5` | ~50 MB |
+| `mysql` | `10m` | `3` | ~30 MB |
+| `guacamole` | `20m` | `5` | ~100 MB |
+| `guacd` | `5m` | `3` | ~15 MB |
+| `ops-worker` | `10m` | `3` | ~30 MB |
 
-## 🔍 Useful Logging Commands
+Estimated capped total (configured services): ~325 MB.
 
-### View Live Logs
+## Common commands
 
 ```bash
-# All services
-docker-compose logs -f
+# All services (follow)
+docker compose logs -f
 
-# Specific service
-docker-compose logs -f openresty
-docker-compose logs -f guacamole
-docker-compose logs -f mysql
-docker-compose logs -f guacd
+# One service
+docker compose logs -f openresty
 
-# Last N lines
-docker-compose logs --tail=50 openresty
-```
-
-### Filter Logs by Time
-
-```bash
-# Since timestamp
-docker-compose logs mysql --since="2024-01-01T10:00:00"
+# Last lines
+docker compose logs --tail=100 guacamole
 
-# Last 10 minutes
-docker-compose logs guacamole --since="10m"
-
-# Last hour
-docker-compose logs --since="1h"
+# Time window
+docker compose logs --since=10m
 ```
 
-### Search in Logs
+## Search examples
 
-```bash
-# PowerShell - Search for errors
-docker-compose logs | Select-String -Pattern "error|failed|exception" -CaseSensitive:$false
+PowerShell:
 
-# PowerShell - Search for specific patterns
-docker-compose logs openresty | Select-String -Pattern "JWT|auth|token"
-docker-compose logs mysql | Select-String -Pattern "connection|query"
+```powershell
+docker compose logs | Select-String -Pattern "error|failed|exception" -CaseSensitive:$false
+docker compose logs openresty | Select-String -Pattern "jwt|token|auth" -CaseSensitive:$false
 ```
 
-### Log File Locations
-
-Log files are stored in Docker's default location:
-
-* **Windows**: `C:\ProgramData\docker\containers\<container-id>\<container-id>-json.log`
-* **Linux**: `/var/lib/docker/containers/<container-id>/<container-id>-json.log`
-
-### Export Logs
+Bash:
 
 ```bash
-# Export all logs to file
-docker-compose logs > gateway-logs-$(Get-Date -Format "yyyy-MM-dd").log
-
-# Export specific service logs
-docker-compose logs openresty > openresty-logs-$(Get-Date -Format "yyyy-MM-dd").log
+docker compose logs | grep -Ei "error|failed|exception"
+docker compose logs openresty | grep -Ei "jwt|token|auth"
 ```
 
-## ⚠️ Log Rotation
-
-The logging configuration automatically rotates logs when:
-
-* File size exceeds the `max-size` limit
-* Number of files exceeds `max-file` limit
-
-Oldest logs are automatically deleted to maintain storage limits.
-
-## 🔧 Advanced Logging Options
-
-### Enable Debug Logging (Development)
+## Export logs
 
-Add to specific service in docker-compose.yml:
+PowerShell:
 
-```yaml
-environment:
-  - LOG_LEVEL=DEBUG
+```powershell
+docker compose logs > gateway-logs-$(Get-Date -Format "yyyy-MM-dd").log
 ```
 
-### Send Logs to External System
-
-For production, consider:
-
-* **Fluentd**: For centralized logging
-* **ELK Stack**: Elasticsearch, Logstash, Kibana
-* **Splunk**: Enterprise logging solution
-
-Example with Fluentd:
-
-```yaml
-logging:
-  driver: "fluentd"
-  options:
-    fluentd-address: "localhost:24224"
-    tag: "gateway.{{.Name}}"
-```
-
-## 🚨 Log Monitoring
-
-### Critical Patterns to Monitor
-
-* `ERROR`, `FATAL`, `CRITICAL`
-* `Authentication failed`
-* `Connection refused`
-* `Out of memory`
-* `Database connection lost`
-* `SSL/TLS errors`
-
-### Health Check via Logs
+Bash:
 
 ```bash
-# Check for recent errors (last 5 minutes)
-docker-compose logs --since="5m" | Select-String -Pattern "error|failed|fatal" -CaseSensitive:$false
+docker compose logs > gateway-logs-$(date +%F).log
 ```
 
-## 📈 Log Analysis
+## Notes
 
-### Common Log Queries
-
-```bash
-# Count error occurrences
-docker-compose logs | Select-String -Pattern "error" -CaseSensitive:$false | Measure-Object
-
-# Find authentication attempts
-docker-compose logs openresty | Select-String -Pattern "JWT|auth" -CaseSensitive:$false
-
-# Monitor MySQL performance
-docker-compose logs mysql | Select-String -Pattern "slow query|performance|timeout"
-```
+- Rotation deletes older files automatically after the limits above.
+- Host log file locations are Docker defaults (`/var/lib/docker/containers/...` on Linux).
+- For production centralization, use a logging driver (for example `fluentd`) in compose.