# Canonical production environment template for: # - self-hosted full stack via ./start-unified.sh prod # - frontend deployment on Vercel (copy VITE_* and FRONTEND_URL/BACKEND_URL values) # - backend deployment on Railway (copy backend/auth/database values) ENVIRONMENT=production # Public application URLs FRONTEND_URL=https://containr-web.vercel.app BACKEND_URL=https://containr-api.up.railway.app VITE_API_URL=https://containr-api.up.railway.app VITE_AUTH_URL=https://containr-api.up.railway.app/api/auth BETTER_AUTH_URL=https://containr-api.up.railway.app BETTER_AUTH_TRUSTED_ORIGINS=https://containr-web.vercel.app,https://containr-api.up.railway.app CORS_ORIGINS=https://containr-web.vercel.app,https://containr-api.up.railway.app CORS_CREDENTIALS=true # Self-hosted domain settings DOMAIN=containr.example.com ACME_EMAIL=ops@example.com TRAEFIK_API_INSECURE=false TRAEFIK_AUTH=admin:$$apr1$$replace_me$$replace_me # Backend runtime PORT=8080 HOST=0.0.0.0 AUTH_PORT=3001 BETTER_AUTH_ENABLED=true BETTER_AUTH_ENTRYPOINT=auth/src/server.js BETTER_AUTH_NODE_BINARY=node BETTER_AUTH_STARTUP_TIMEOUT=20s BETTER_AUTH_PROXY_URL=http://127.0.0.1:3001 BETTER_AUTH_INTERNAL_URL=http://127.0.0.1:3001/internal/session MAX_REQUEST_BODY_BYTES=10485760 READ_TIMEOUT=30s WRITE_TIMEOUT=30s IDLE_TIMEOUT=60s SHUTDOWN_TIMEOUT=30s AUTO_MIGRATE=true MIGRATION_LOCK_TIMEOUT=5m SEED_DATA_ON_START=false TRUSTED_PROXY_CIDR=172.20.0.0/16 LOG_LEVEL=info LOG_FORMAT=json LOG_OUTPUT=stdout DEBUG=false # Secrets JWT_SECRET=CHANGE_ME_AT_LEAST_32_CHARACTERS_LONG BETTER_AUTH_SECRET=CHANGE_ME_AT_LEAST_32_CHARACTERS_LONG BETTER_AUTH_INTERNAL_TOKEN=CHANGE_ME_INTERNAL_AUTH_TOKEN CONTAINR_AGENT_AUTH_TOKEN=CHANGE_ME_AGENT_AUTH_TOKEN # Optional rotating token list # CONTAINR_AGENT_AUTH_TOKENS=current_secret,next_secret # Cookies COOKIE_SECURE=true COOKIE_DOMAIN= COOKIE_PATH=/ COOKIE_SAME_SITE=lax # Self-hosted database defaults. # Railway: replace DATABASE_URL and REDIS_URL with Railway-provided values. POSTGRES_DB=containr POSTGRES_USER=containr_user POSTGRES_PASSWORD=CHANGE_ME_POSTGRES_PASSWORD DATABASE_URL=postgres://containr_user:CHANGE_ME_POSTGRES_PASSWORD@postgres:5432/containr?sslmode=disable MAX_CONNECTIONS=50 MAX_IDLE_CONNECTIONS=10 CONN_MAX_LIFETIME=10m CONN_MAX_IDLE_TIME=5m REDIS_PASSWORD=CHANGE_ME_REDIS_PASSWORD REDIS_URL=redis://:CHANGE_ME_REDIS_PASSWORD@redis:6379/0 # Explicit DB settings for the embedded Better Auth runtime. DB_HOST=postgres DB_PORT=5432 DB_NAME=containr DB_USER=containr_user DB_PASSWORD=CHANGE_ME_POSTGRES_PASSWORD # Optional OAuth providers GITHUB_CLIENT_ID= GITHUB_CLIENT_SECRET= GITLAB_CLIENT_ID=PLACEHOLDER_GITLAB_CLIENT_ID GITLAB_CLIENT_SECRET=PLACEHOLDER_GITLAB_CLIENT_SECRET GITLAB_OAUTH_AUTHORIZE_URL=https://gitlab.com/oauth/authorize GITLAB_OAUTH_TOKEN_URL=https://gitlab.com/oauth/token GITLAB_OAUTH_USERINFO_URL=https://gitlab.com/api/v4/user BITBUCKET_CLIENT_ID=PLACEHOLDER_BITBUCKET_CLIENT_ID BITBUCKET_CLIENT_SECRET=PLACEHOLDER_BITBUCKET_CLIENT_SECRET BITBUCKET_OAUTH_AUTHORIZE_URL=https://bitbucket.org/site/oauth2/authorize BITBUCKET_OAUTH_TOKEN_URL=https://bitbucket.org/site/oauth2/access_token BITBUCKET_OAUTH_USERINFO_URL=https://api.bitbucket.org/2.0/user BITBUCKET_OAUTH_EMAILS_URL=https://api.bitbucket.org/2.0/user/emails GITEA_CLIENT_ID=PLACEHOLDER_GITEA_CLIENT_ID GITEA_CLIENT_SECRET=PLACEHOLDER_GITEA_CLIENT_SECRET GITEA_OAUTH_AUTHORIZE_URL=https://gitea.example.com/login/oauth/authorize GITEA_OAUTH_TOKEN_URL=https://gitea.example.com/login/oauth/access_token GITEA_OAUTH_USERINFO_URL=https://gitea.example.com/api/v1/user # Repo sync / SCM integrations GITHUB_APP_ID= GITHUB_APP_SLUG= GITHUB_APP_PRIVATE_KEY= GITHUB_APP_BASE_URL=https://api.github.com GITLAB_API_URL=https://gitlab.com/api/v4 GITLAB_BASE_URL=https://gitlab.com BITBUCKET_API_URL=https://api.bitbucket.org/2.0 BITBUCKET_BASE_URL=https://bitbucket.org GITEA_BASE_URL=https://gitea.example.com # Optional analytics / observability UMAMI_BASE_URL= UMAMI_API_KEY= UMAMI_WEBSITE_ID= CLOUDFLARED_TOKEN=