74 lines
4.2 KiB
Plaintext
74 lines
4.2 KiB
Plaintext
|
# ─────────────────────────────────────────────────────────────────────────────
|
||
|
|
# FlatRender — PRODUCTION ENV_FILE template
|
||
|
|
#
|
||
|
|
# This is the content of the Gitea repo secret named ENV_FILE.
|
||
|
|
# Set it at: https://git.soroushasadi.com/soroushdes/flatrender/settings/secrets
|
||
|
|
# The deploy job writes this verbatim to `.env`, which docker compose reads.
|
||
|
|
#
|
||
|
|
# Fill every <PLACEHOLDER>. Generate secrets with: openssl rand -hex 32
|
||
|
|
# After editing the secret, push any commit to trigger a redeploy.
|
||
|
|
# Changing a NEXT_PUBLIC_* value requires a redeploy (baked into the frontend at build).
|
||
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
||
|
|
|
||
|
|
# ── Host port binding ────────────────────────────────────────────────────────
|
||
|
|
# 127.0.0.1 keeps Postgres/MinIO/gateway/frontend OFF the public internet — only
|
||
|
|
# Caddy (80/443) is public. (Docker bypasses ufw, so this binding is the real guard.)
|
||
|
|
HOST_BIND=127.0.0.1
|
||
|
|
|
||
|
|
# ── Domains (DNS A-records must point at this server) ────────────────────────
|
||
|
|
DOMAIN=flatrender.example.com
|
||
|
|
API_DOMAIN=api.flatrender.example.com
|
||
|
|
STORAGE_DOMAIN=storage.flatrender.example.com
|
||
|
|
ACME_EMAIL=you@example.com
|
||
|
|
|
||
|
|
# ── Browser-facing URLs (baked into the frontend at build time) ──────────────
|
||
|
|
NEXT_PUBLIC_SITE_URL=https://flatrender.example.com
|
||
|
|
NEXT_PUBLIC_API_URL=https://api.flatrender.example.com/v1
|
||
|
|
NEXT_PUBLIC_MINIO_URL=https://storage.flatrender.example.com
|
||
|
|
NEXT_PUBLIC_TENANT_SLUG=flatrender
|
||
|
|
CORS_ORIGIN=https://flatrender.example.com
|
||
|
|
|
||
|
|
# ── Core secrets ─────────────────────────────────────────────────────────────
|
||
|
|
JWT_SECRET=<openssl rand -hex 32>
|
||
|
|
SERVICE_TOKEN=<openssl rand -hex 32>
|
||
|
|
NODE_HMAC_SECRET=<openssl rand -hex 32>
|
||
|
|
JWT_ACCESS_MINUTES=1440
|
||
|
|
|
||
|
|
# ── Postgres ─────────────────────────────────────────────────────────────────
|
||
|
|
POSTGRES_USER=flatrender
|
||
|
|
POSTGRES_PASSWORD=<openssl rand -hex 24>
|
||
|
|
|
||
|
|
# ── MinIO (object storage) ───────────────────────────────────────────────────
|
||
|
|
MINIO_ACCESS_KEY=<openssl rand -hex 12>
|
||
|
|
MINIO_SECRET_KEY=<openssl rand -hex 24>
|
||
|
|
MINIO_BUCKET=flatrender-exports
|
||
|
|
MINIO_TEMPLATES_BUCKET=flatrender-templates
|
||
|
|
MINIO_UPLOAD_BUCKET=user-uploads
|
||
|
|
# render-svc signs presigned URLs for the public storage domain (over HTTPS via Caddy):
|
||
|
|
MINIO_HOST_ENDPOINT=storage.flatrender.example.com
|
||
|
|
MINIO_HOST_USE_SSL=true
|
||
|
|
|
||
|
|
# ── Render farm ──────────────────────────────────────────────────────────────
|
||
|
|
# No AE node on the server → keep the dev worker OFF (it would mock-complete jobs).
|
||
|
|
# Instead disable rendering in Admin → فارم رندر → موتور رندر so users see a notice.
|
||
|
|
RENDER_DEV_WORKER=false
|
||
|
|
RENDER_DEV_SNAPSHOTS=false
|
||
|
|
|
||
|
|
# Gateway host port (bound to HOST_BIND above; public access is via API_DOMAIN/Caddy).
|
||
|
|
GATEWAY_PORT=8080
|
||
|
|
|
||
|
|
# ── Payments (fill the providers you actually use; leave others blank) ───────
|
||
|
|
STRIPE_SECRET_KEY=
|
||
|
|
STRIPE_WEBHOOK_SECRET=
|
||
|
|
STRIPE_PUBLISHABLE_KEY=
|
||
|
|
ZARINPAL_MERCHANT_ID=
|
||
|
|
ZARINPAL_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/zarinpal
|
||
|
|
ZARINPAL_SANDBOX=false
|
||
|
|
SNAPPAY_CLIENT_ID=
|
||
|
|
SNAPPAY_CLIENT_SECRET=
|
||
|
|
SNAPPAY_BASE_URL=https://api.snappay.ir
|
||
|
|
SNAPPAY_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/snappay
|
||
|
|
TARA_API_KEY=
|
||
|
|
TARA_BASE_URL=https://api.tara.ir
|
||
|
|
TARA_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/tara
|