mirror of
https://github.com/we-promise/sure.git
synced 2026-04-07 14:31:25 +00:00
7d2d012e3c
The encryption initializer previously only supported environment variables in self-hosted mode. In managed mode, it expected encryption credentials to exist in Rails.application.credentials, which would cause boot failures if they were missing. This change updates the encryption configuration to support environment variables in both managed and self-hosted modes: - Environment variables (ACTIVE_RECORD_ENCRYPTION_*) now work in both modes - Priority: env vars > auto-generation (self-hosted only) > credentials - Updated documentation in .env.example and Helm chart README This allows managed mode deployments to provide encryption keys via environment variables instead of requiring Rails credentials. Co-authored-by: Claude <noreply@anthropic.com>
146 lines
5.0 KiB
Plaintext
146 lines
5.0 KiB
Plaintext
# ================================ PLEASE READ ===========================================================
|
|
# This file outlines all the possible environment variables supported by the Sure app for self hosting.
|
|
#
|
|
# If you're a developer setting up your local environment, please use `.env.local.example` instead.
|
|
# ========================================================================================================
|
|
|
|
# Required self-hosting vars
|
|
# --------------------------------------------------------------------------------------------------------
|
|
|
|
# Enables self hosting features (should be set to true unless you know what you're doing)
|
|
SELF_HOSTED=true
|
|
|
|
# Controls onboarding flow (valid: open, closed, invite_only)
|
|
ONBOARDING_STATE=open
|
|
|
|
# Secret key used to encrypt credentials (https://api.rubyonrails.org/v7.1.3.2/classes/Rails/Application.html#method-i-secret_key_base)
|
|
# Has to be a random string, generated eg. by running `openssl rand -hex 64`
|
|
SECRET_KEY_BASE=secret-value
|
|
|
|
# Optional self-hosting vars
|
|
# --------------------------------------------------------------------------------------------------------
|
|
|
|
# Optional: OpenAI-compatible API endpoint config
|
|
OPENAI_ACCESS_TOKEN=
|
|
OPENAI_MODEL=
|
|
OPENAI_URI_BASE=
|
|
|
|
# Optional: Langfuse config
|
|
LANGFUSE_HOST=https://cloud.langfuse.com
|
|
LANGFUSE_PUBLIC_KEY=
|
|
LANGFUSE_SECRET_KEY=
|
|
|
|
# Optional: Twelve Data API Key for exchange rates + stock prices
|
|
# (you can also set this in your self-hosted settings page)
|
|
# Get it here: https://twelvedata.com/
|
|
TWELVE_DATA_API_KEY=
|
|
|
|
# Optional: Provider selection for exchange rates and securities data
|
|
# Options: twelve_data (default), yahoo_finance
|
|
# EXCHANGE_RATE_PROVIDER=twelve_data
|
|
# SECURITIES_PROVIDER=twelve_data
|
|
|
|
# Alternative: Use Yahoo Finance as provider (free, no API key required)
|
|
EXCHANGE_RATE_PROVIDER=yahoo_finance
|
|
SECURITIES_PROVIDER=yahoo_finance
|
|
|
|
# Brandfetch to grab logos for banks and merchants
|
|
BRAND_FETCH_CLIENT_ID=
|
|
|
|
# Custom port config
|
|
# For users who have other applications listening at 3000, this allows them to set a value puma will listen to.
|
|
PORT=3000
|
|
|
|
# SMTP Configuration
|
|
# This is only needed if you intend on sending emails from your Sure instance (such as for password resets or email financial reports).
|
|
# Resend.com is a good option that offers a free tier for sending emails.
|
|
SMTP_ADDRESS=
|
|
SMTP_PORT=465
|
|
SMTP_USERNAME=
|
|
SMTP_PASSWORD=
|
|
SMTP_TLS_ENABLED=true
|
|
|
|
# Address that emails are sent from
|
|
EMAIL_SENDER=
|
|
|
|
# Database Configuration
|
|
DB_HOST=localhost # May need to be changed to `DB_HOST=db` if using devcontainer
|
|
DB_PORT=5432
|
|
POSTGRES_PASSWORD=postgres
|
|
POSTGRES_USER=postgres
|
|
|
|
# Redis configuration
|
|
# Standard Redis URL (for direct connection)
|
|
REDIS_URL=redis://localhost:6379/1
|
|
|
|
# Redis Sentinel configuration (for high availability)
|
|
# When REDIS_SENTINEL_HOSTS is set, it takes precedence over REDIS_URL
|
|
# REDIS_SENTINEL_HOSTS=sentinel1:26379,sentinel2:26379,sentinel3:26379
|
|
# REDIS_SENTINEL_MASTER=mymaster
|
|
# REDIS_SENTINEL_USERNAME=default
|
|
# REDIS_PASSWORD=your-redis-password
|
|
|
|
# App Domain
|
|
# This is the domain that your Sure instance will be hosted at. It is used to generate links in emails and other places.
|
|
APP_DOMAIN=
|
|
|
|
# OpenID Connect configuration
|
|
OIDC_CLIENT_ID=
|
|
OIDC_CLIENT_SECRET=
|
|
OIDC_ISSUER=
|
|
OIDC_REDIRECT_URI=
|
|
|
|
# Product/Brand Name
|
|
PRODUCT_NAME=
|
|
BRAND_NAME=
|
|
|
|
# PostHog configuration
|
|
POSTHOG_KEY=
|
|
POSTHOG_HOST=
|
|
|
|
# Disable enforcing SSL connections
|
|
# DISABLE_SSL=true
|
|
|
|
# Active Record Encryption Keys (Optional)
|
|
# These keys are used to encrypt sensitive data like API keys in the database.
|
|
# For managed mode: Set these environment variables to provide encryption keys.
|
|
# For self-hosted mode: If not provided, they will be automatically generated based on your SECRET_KEY_BASE.
|
|
# You can generate your own keys by running: rails db:encryption:init
|
|
# ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=
|
|
# ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=
|
|
# ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=
|
|
|
|
# ======================================================================================================
|
|
# Active Storage Configuration - responsible for storing file uploads
|
|
# ======================================================================================================
|
|
#
|
|
# * Defaults to disk storage but you can also use Amazon S3 or Cloudflare R2
|
|
# * Set the appropriate environment variables to use these services.
|
|
# * Ensure libvips is installed on your system for image processing - https://github.com/libvips/libvips
|
|
#
|
|
# Amazon S3
|
|
# ==========
|
|
# ACTIVE_STORAGE_SERVICE=amazon <- Enables Amazon S3 storage
|
|
# S3_ACCESS_KEY_ID=
|
|
# S3_SECRET_ACCESS_KEY=
|
|
# S3_REGION= # defaults to `us-east-1` if not set
|
|
# S3_BUCKET=
|
|
#
|
|
# Cloudflare R2
|
|
# =============
|
|
# ACTIVE_STORAGE_SERVICE=cloudflare <- Enables Cloudflare R2 storage
|
|
# CLOUDFLARE_ACCOUNT_ID=
|
|
# CLOUDFLARE_ACCESS_KEY_ID=
|
|
# CLOUDFLARE_SECRET_ACCESS_KEY=
|
|
# CLOUDFLARE_BUCKET=
|
|
#
|
|
# Generic S3
|
|
# ==========
|
|
# ACTIVE_STORAGE_SERVICE=generic_s3 <- Enables Generic S3 storage
|
|
# GENERIC_S3_ACCESS_KEY_ID=
|
|
# GENERIC_S3_SECRET_ACCESS_KEY=
|
|
# GENERIC_S3_REGION=
|
|
# GENERIC_S3_BUCKET=
|
|
# GENERIC_S3_ENDPOINT=
|
|
# GENERIC_S3_FORCE_PATH_STYLE= <- defaults to false
|