Environment Variables
In the following you can find all the environment variables used in the TruBudget project. Use this list as reference for development and deployment.
| Project | Shortcut | List of variables |
|---|---|---|
| Frontend | ui | ui |
| API | api | api |
| Blockchain | bc | bc |
| Provisioning | prov | prov |
| Excel export service | excel | excel |
| Storage service | storage | storage |
| Email notification service | ||
| Docker-compose | scripts |
If you need a .env.example file as a template, use the .env.example file in /scripts/operation. This file has all values pre-filled.
| Env Variable | Required | Default Value | Used by | Description |
|---|---|---|---|---|
| ORGANIZATION | yes | - | bc/api | In the blockchain network, each node is represented by its organization name. This environment variable sets this organization name. It is used to create the organization stream on the blockchain and is also displayed in the frontend's top right corner. |
| ORGANIZATION_VAULT_SECRET | yes | - | api | This is the key to en-/decrypt user data of an organization. If you want to add a new node for your organization, you want users to be able to log in on either node. Make sure that the api connected to the new node has the same organization vault secret. Caution: If you want to run TruBudget in production,make sure NOT to use the default value from the .env.example file! |
| API_HOST | no | bc/prov | The IP address of one api which is connected to the node you want to connect to (The IP addresses are usually the same as for the P2P host address). | |
| API_PORT | no | 8080 | bc/prov | The port used to connect to the api. |
| JWT_SECRET | no | [random] | api/bc | A string that is used to sign JWT which are created by the authenticate endpoint of the api |
| P2P_HOST | no | bc | The IP address of the blockchain node you want to connect to. | |
| P2P_PORT | no | 7447 | bc | The port on which all nodes in the blockchain network have exposed their MultiChain daemon for peer-to-peer connections. Beta nodes will connect to the P2P_PORT of the Alpha node through this variable. Alpha nodes will expose their MultiChain daemon through this variable. |
| PORT | no | 8080 for api, 8888 for excel | api/export | The port used to expose the API and excel-export for your installation. Example: If you run TruBudget locally and set API_PORT to 8080, you can reach the API via localhost:8080/api. |
| ROOT_SECRET | no | [random] | api | The root secret is the password for the root user. If you start with an empty blockchain, the root user is needed to add other users, approve new nodes,.. If you don't set a value via the environment variable, the API generates one randomly and prints it to the console Caution: If you want to run TruBudget in production, make sure to set a secure root secret. |
| BLOCKCHAIN_PORT | no | 8085 | api/bc | The Port of the blockchain where the server is available for incoming http connections (e.g. readiness, versions, backup and restore) |
| MULTICHAIN_RPC_PASSWORD | no | [hardcoded] | api/bc | Password used by the API to connect to the blockchain. The password is set by the origin node upon start. Every beta node needs to use the same RPC password in order to be able to connect to the blockchain. Hint: Although the MULTICHAIN_RPC_PASSWORD is not required it is highly recommended to set an own secure one |
| MULTICHAIN_RPC_PORT | no | 8000 | api/bc | The port used to expose the multichain daemon of your TruBudget blockchain installation(bc) for RPC connections. The port used to connect to the api of the multichain daemon. This will be used internally for the communication between the API and the multichain daemon. |
| MULTICHAIN_RPC_USER | no | multichainrpc | api/bc | The user used to connect to the multichain daemon. |
| MULTICHAIN_FEED_ENABLED | no | false | bc | If set to true the multichain-feed go script in src/multichain-feed/multichain-feed is passed to the mutlichain daemon and executed in a separate process. |
| BUILDTIMESTAMP | no | bc | The /version endpoint returns this variable as buildTimeStamp property | |
| BLOCKNOTIFY_SCRIPT | no | bc | Configure the blocknotifiy argument of the multichain configuration like -blocknotify=[BLOCKNOTIFY_SCRIPT] | |
| AUTOSTART | no | true | bc | If set to false multichain daemon will not start automatically. |
| RPC_ALLOW_IP | no | 0.0.0.0/0 | bc | It refers to an allowed IP address range, given either by IP or CIDR notation. 0.0.0.0/0 will allow access from anywhere. |
| EXTERNAL_IP | no | bc | The EXTERNAL_IP option is the IP address with which the current node can be reached. The variable is forwarded to the multichain daemon as externalip argument. This will be reported to other nodes in the Trubudget network. By default, daemon will try to automatically detect an external IP address. However, this might not always be accurate, especially if a node is behind a NAT or a firewall. By using EXTERNAL_IP, you can manually specify the IP. This can be useful if you want to ensure that your node is reachable at a specific address. If your node is not actually reachable at the specified IP address (e.g. because of a firewall), other nodes might not be able to connect to it. Example: If you have a VM running on 22.22.22.22 and you want to start a beta node from this VM to connect to an alpha running on 11.11.11.11, you set EXTERNAL_IP to 11.11.11.11 on alpha node and 22.22.22.22 on beta node. | |
| NODE_ENV | yes | development or production | bc | Environment: Default development when running development-script. Production when running production-script |
| CERT_PATH | no | bc | The path to the certificate used by the blockchain to authenticate with the connection peer. Note that self-signed certificates are not allowed in production environments. More information can be found here | |
| CERT_CA_PATH | no | bc | The path to the certificate authority root certificate by the blockchain to authenticate with the connection peer. Note that self-signed certificates are not allowed in production environments.More information can be found here | |
| CERT_KEY_PATH | no | bc | The path to the certificate key used by the blockchain to authenticate with the connection peer. More information can be found here | |
| ACCESS_CONTROL_ALLOW_ORIGIN | no | "*" | bc/api/excel/storage/email | Since the services use CORS, the domain by which it can be called needs to be set. Setting this value to "*" means that it can be called from any domain. Read more about this topic here. |
| MULTICHAIN_DIR | no | /root | bc | The path to the multichain folder where the blockchain data is persisted. For installations via docker compose, this refers to the path within the docker container of the blockchain. For bare metal installations, this refers to the path on the machine the blockchain is running on. |
| PRETTY_PRINT | no | true | * | Decides whether the logs printed by services are pretty printed or not. Pretty printed logs are easier to read while non-pretty printed logs are easier to store and use e.g. in the ELK (Elasticsearch-Logstash-Kabana) stack. |
| TAG | no | main | scripts | The tag defines the version of the image that is pulled from the docker hub. |
| NODE_ENV | no | ui/api | If set to development search Trubudget's external services on localhost, api will allow any string as password. If set to production disable Redux devtools extension. | |
| REACT_APP_VERSION | no | ui | Injected version via $npm_package_version in.env file to ensure the version is shown in the frontend | |
| INLINE_RUNTIME_CHUNK | no | false | frontend | Scripts that are injected by React will not be injected inline but as script with src="...". Important for being able to enforce a stricter Content Security Policy |
| REACT_APP_EMAIL_SERVICE_ENABLED | no | false | ui | When enabled, the frontend requests a email-service readiness call when entering the login screen. If true the email section in the user-profile is enabled |
| EMAIL_HOST | no | - | ui | IP address of the email notification service |
| EMAIL_PORT | no | 8890 | ui | Port of the email notification service |
| REACT_APP_EXPORT_SERVICE_ENABLED | no | false | ui | If true the frontend requests a export-service readiness call when entering the login screen and the export button is shown at the side navbar |
| EXPORT_HOST | no | - | ui | IP address of the excel export service |
| EXPORT_PORT | no | 8888 | ui | Port of the excel export service |
| REACT_APP_LOGGING | no | false | ui | When enabled, the log/error messages on the frontend are send back to the frontend-collector |
| REACT_APP_LOG_LEVEL | no | trace | ui | Values are: info or error or trace. When set to trace all state transitions of the ui are logged to console & sent back to the frontend-collector |
| REACT_APP_LOGGING_SERVICE_HOST | no | localhost | ui | Host of the frontend-collector |
| REACT_APP_LOGGING_SERVICE_PORT | no | 3000 | ui | Port on which the frontend-collector is listening |
| REACT_APP_LOGGING_SERVICE_HOST_SSL | no | false | ui | Defines whether the frontend logger uses SSL to communicate with the frontend-collector. When used in production, SSL must be enabled! |
| REACT_APP_LOGGING_PUSH_INTERVAL | no | 20 | ui | Defines in which intervals the collected log-messages should be push to the frontend-collector (in seconds). |
| DB_TYPE | no | pg | Type of database. A supported list can be found in the Database Configuration section | |
| DB_NAME | no | trubudget_email_service | Name of the database | |
| DB_USER | no | postgres | User name for connected database | |
| DB_PASSWORD | no | test | Password for connected database | |
| DB_HOST | no | localhost | IP of connected database | |
| DB_PORT | no | 5432 | Port of connected database | |
| DB_SCHEMA | no | public | Schema of connected database | |
| DB_SSL | no | false | If true the DB connection is using the SSL protocol | |
| USER_TABLE | no | users | Name of the table which is created if the first email address is inserted | |
| SMTP_USER | no | testuser | This is forwarded to the auth prop of the nodemailer's transport-options, to authenticate with the credentials of the configured SMTP server | |
| SMTP_PASSWORD | no | test | IP of external SMTP-Server used to actually send notification emails | |
| SMTP_HOST | no | localhost | IP of external SMTP-Server used to actually send notification emails | |
| SMTP_PORT | no | 2500 | Port of external SMTP-Server | |
| SMTP_SSL | no | false | If true the external SMTP-Server connection is using the SSL protocol | |
| SQL_DEBUG | no | false | The SQL Debug option is forwarded to the knex configuration | |
| EMAIL_FROM | no | Trubudget Notification Service👻 | This is injected into the from field of the email notification | |
| EMAIL_SUBJECT | no | Trubudget Notification | This is injected into the subject field of the email notification | |
| EMAIL_TEXT | no | You have received a notification. | This is injected into the body of the email notification | |
| LOG_LEVEL | no | info | all | Defines the log output. Supported levels are trace, debug, info, warn, error, fatal |
| SIGNING_METHOD | no | node | api | Possible signing methods are: node and user. Transactions on the chain will be signed using either the address of the node or the address of the specific user publishing that transaction. |
| ENCRYPTION_PASSWORD | no | - | api | If set, all data that is send to the MultiChain node and external storage will be symmetrically encrypted by the ENCRYPTION_PASSWORD |
| JWT_SECRET | no | - (required) | A secret of min length of 32 - It is used to verify the JWT_TOKEN sent by users of the email-service endpoints | |
| AUTHENTICATION | no | JWT | If set to none, no JWT-Token is required for all endpoints. If set JWT, a JWT token is necessary | |
| DOCUMENT_FEATURE_ENABLED | no | false | api | If true, all uploaded documents are stored using trubudget's storage-service. If false, the document feature of TruBudget is disabled, and trying to upload a document will result in an error. |
| DOCUMENT_EXTERNAL_LINKS_ENABLED | no | false | api | If true, it is possible to use external documents links also without trubudget's storage-service. If false, the external documents links feature of TruBudget is still possible to use in case DOCUMENT_FEATURE_ENABLED equals "true". |
| STORAGE_SERVICE_HOST | no | localhost | storage | IP address of storage service |
| STORAGE_SERVICE_PORT | no | 8090 | storage | Port of storage service |
| STORAGE_SERVICE_EXTERNAL_URL | no | - | api | IP and port of own connected storage service accessible externally |
| STORAGE_PROVIDER | minio | Set to azure-storage if you use Azure Storage Account, otherwise defaults to minio | ||
| MINIO_ACCESS_KEY | no | minio | storage | Access key for Minio server |
| MINIO_SECRET_KEY | no | minio123 | storage | Secret (Password) for Minio server |
| MINIO_PORT | no | 9000 | storage | Port of connected Minio |
| MINIO_HOST | no | localhost | storage | IP address of connected Minio server |
| MINIO_BUCKET_NAME | no | trubudget | storage | Bucket name of the connected Minio server |
| MINIO_REGION | us-east-1 | Region where the bucket is created. This parameter is optional. Default value is us-east-1. | ||
| LOGGER_PORT | yes | 3000 | logging | Port where the frontend-collector is exposed |
| API_HOST | yes | localhost | logging | API host |
| API_PORT | yes | 8080 | logging | API port |
| LOG_LEVEL | yes | trace | logging | Log-level |
| LOGGING_SERVICE_CACHE_DURATION | yes | 20 | logging | Defines how long valid JWT should be cached (in minutes). |
| LOGGING_SERVICE_NODE_ENV | yes | production | logging | Environment |
| CI_COMMIT_SHA | "" | bc/api/excel/storage/email | Defines the CI_COMMIT_SHA property returned by the version endpoint. | |
| RATE_LIMIT | no | - | api | If set, API will limit the number of requests from any individual IP address to the set number per minute. Can be set to any number, but shouldn't be set too low. |
Kubernetes​
| Env Variable | Required | Default Value | Used by | Description |
|---|---|---|---|---|
| EXPOSE_MC | no | false | bc | If set to true Trubudget tries to expose it's multichain via kubernetes' ingress. First a kubernetes config file is searched in /.kube/config. If not found and the MC is deployed in a cluster, it is searching for the service account to get the information. After configuration the externalip arg is set to the ip of the service' ingress of the configured clusterSERVICE_NAME and NAMESPACE are required to access the ingress of the service. |
| KUBE_SERVICE_NAME | no | bc | This variable is only required if EXPOSE_MC is set to true. It defines which service the kubernetes client should search for in the configured kubernetes cluster | |
| KUBE_NAMESPACE | no | bc | This variable is only required if EXPOSE_MC is set to true. It defines in which namespace the kubernetes client should search for the given service |