# ───────────────────────────────────────────────────────────────────────────── # FlatRender — PRODUCTION ENV_FILE template # # This is the content of the Gitea repo secret named ENV_FILE. # Set it at: https://git.soroushasadi.com/soroushdes/flatrender/settings/secrets # The deploy job writes this verbatim to `.env`, which docker compose reads. # # Fill every . Generate secrets with: openssl rand -hex 32 # After editing the secret, push any commit to trigger a redeploy. # Changing a NEXT_PUBLIC_* value requires a redeploy (baked into the frontend at build). # ───────────────────────────────────────────────────────────────────────────── # ── Host port binding ──────────────────────────────────────────────────────── # 127.0.0.1 keeps Postgres/MinIO/gateway/frontend OFF the public internet — only # Caddy (80/443) is public. (Docker bypasses ufw, so this binding is the real guard.) HOST_BIND=127.0.0.1 # ── Domains (DNS A-records must point at this server) ──────────────────────── DOMAIN=flatrender.example.com API_DOMAIN=api.flatrender.example.com STORAGE_DOMAIN=storage.flatrender.example.com ACME_EMAIL=you@example.com # ── Browser-facing URLs (baked into the frontend at build time) ────────────── NEXT_PUBLIC_SITE_URL=https://flatrender.example.com NEXT_PUBLIC_API_URL=https://api.flatrender.example.com/v1 NEXT_PUBLIC_MINIO_URL=https://storage.flatrender.example.com NEXT_PUBLIC_TENANT_SLUG=flatrender CORS_ORIGIN=https://flatrender.example.com # ── Core secrets ───────────────────────────────────────────────────────────── JWT_SECRET= SERVICE_TOKEN= NODE_HMAC_SECRET= JWT_ACCESS_MINUTES=1440 # ── Postgres ───────────────────────────────────────────────────────────────── POSTGRES_USER=flatrender POSTGRES_PASSWORD= # ── MinIO (object storage) ─────────────────────────────────────────────────── MINIO_ACCESS_KEY= MINIO_SECRET_KEY= MINIO_BUCKET=flatrender-exports MINIO_TEMPLATES_BUCKET=flatrender-templates MINIO_UPLOAD_BUCKET=user-uploads # render-svc signs presigned URLs for the public storage domain (over HTTPS via Caddy): MINIO_HOST_ENDPOINT=storage.flatrender.example.com MINIO_HOST_USE_SSL=true # ── Render farm ────────────────────────────────────────────────────────────── # No AE node on the server → keep the dev worker OFF (it would mock-complete jobs). # Instead disable rendering in Admin → فارم رندر → موتور رندر so users see a notice. RENDER_DEV_WORKER=false RENDER_DEV_SNAPSHOTS=false # Gateway host port (bound to HOST_BIND above; public access is via API_DOMAIN/Caddy). GATEWAY_PORT=8080 # ── Payments (fill the providers you actually use; leave others blank) ─────── STRIPE_SECRET_KEY= STRIPE_WEBHOOK_SECRET= STRIPE_PUBLISHABLE_KEY= ZARINPAL_MERCHANT_ID= ZARINPAL_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/zarinpal ZARINPAL_SANDBOX=false SNAPPAY_CLIENT_ID= SNAPPAY_CLIENT_SECRET= SNAPPAY_BASE_URL=https://api.snappay.ir SNAPPAY_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/snappay TARA_API_KEY= TARA_BASE_URL=https://api.tara.ir TARA_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/tara