From 7db37ade1c961a513cb92fc10f03d06e1459e534 Mon Sep 17 00:00:00 2001
From: tinkle-community <tinklefund@gmail.com>
Date: Tue, 6 Jan 2026 17:59:29 +0800
Subject: [PATCH] fix: auto-generate encryption keys in Railway startup script

---
 Dockerfile.railway       |  6 +++++-
 railway/start-backend.sh | 19 +++++++++++++++++++
 railway/supervisord.conf |  2 +-
 3 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 railway/start-backend.sh

diff --git a/Dockerfile.railway b/Dockerfile.railway
index cfb5f0bc..0e5659d3 100644
--- a/Dockerfile.railway
+++ b/Dockerfile.railway
@@ -66,7 +66,7 @@ RUN npm run build
 FROM alpine:${ALPINE_VERSION}
 
 RUN apk update && apk add --no-cache \
-    ca-certificates tzdata sqlite nginx supervisor
+    ca-certificates tzdata sqlite nginx supervisor openssl
 
 # Copy TA-Lib
 COPY --from=ta-lib-builder /usr/local /usr/local
@@ -84,6 +84,10 @@ COPY railway/nginx.conf /etc/nginx/http.d/default.conf
 # Copy supervisor config
 COPY railway/supervisord.conf /etc/supervisord.conf
 
+# Copy backend startup wrapper (auto-generates encryption keys)
+COPY railway/start-backend.sh /app/start-backend.sh
+RUN chmod +x /app/start-backend.sh
+
 # Create data directory
 RUN mkdir -p /app/data
 
diff --git a/railway/start-backend.sh b/railway/start-backend.sh
new file mode 100644
index 00000000..72084260
--- /dev/null
+++ b/railway/start-backend.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+# Backend startup wrapper - generates encryption keys if not set
+
+# Generate RSA private key if not set
+if [ -z "$RSA_PRIVATE_KEY" ]; then
+    echo "🔐 Generating RSA key pair..."
+    export RSA_PRIVATE_KEY=$(openssl genrsa 2048 2>/dev/null)
+    echo "✅ RSA key generated"
+fi
+
+# Generate data encryption key if not set
+if [ -z "$DATA_ENCRYPTION_KEY" ]; then
+    echo "🔐 Generating data encryption key..."
+    export DATA_ENCRYPTION_KEY=$(openssl rand -base64 32)
+    echo "✅ Data encryption key generated"
+fi
+
+# Start the backend
+exec /app/nofx
diff --git a/railway/supervisord.conf b/railway/supervisord.conf
index abda5ee3..e4f198da 100644
--- a/railway/supervisord.conf
+++ b/railway/supervisord.conf
@@ -5,7 +5,7 @@ logfile_maxbytes=0
 pidfile=/tmp/supervisord.pid
 
 [program:backend]
-command=/app/nofx
+command=/app/start-backend.sh
 directory=/app
 autostart=true
 autorestart=true