Skip to main content

Environment Variables

In the following you can find all the environment variables used in the TruBudget project. Use this list as reference for development and deployment.

ProjectShortcut
Frontendui
APIapi
Blockchainbc
Provisioningprov
Excel export serviceexcel
Storage servicestorage
Email notification serviceemail
Docker-composescripts

If you need a .env.example file as a template, use the .env.example file in /scripts/operation. This file has all values pre-filled.

Env VariableRequiredDefault ValueUsed byDescription
ORGANIZATIONyes-bc/apiIn the blockchain network, each node is represented by its organization name. This environment variable sets this organization name. It is used to create the organization stream on the blockchain and is also displayed in the frontend's top right corner.
ORGANIZATION_VAULT_SECRETyes-apiThis is the key to en-/decrypt user data of an organization. If you want to add a new node for your organization, you want users to be able to log in on either node. Make sure that the api connected to the new node has the same organization vault secret.
Caution: If you want to run TruBudget in production,make sure NOT to use the default value from the .env.example file!
API_HOSTnobc/provThe IP address of one api which is connected to the node you want to connect to (The IP addresses are usually the same as for the P2P host address).
API_PORTno8080bc/provThe port used to connect to the api.
JWT_SECRETno[random]api/bcA string that is used to sign JWT which are created by the authenticate endpoint of the api
P2P_HOSTnobcThe IP address of the blockchain node you want to connect to.
P2P_PORTno7447bcThe port on which all nodes in the blockchain network have exposed their MultiChain daemon for peer-to-peer connections. Beta nodes will connect to the P2P_PORT of the Alpha node through this variable. Alpha nodes will expose their MultiChain daemon through this variable.
PORTno8080 for api, 8888 for excelapi/exportThe port used to expose the API and excel-export for your installation. Example: If you run TruBudget locally and set API_PORT to 8080, you can reach the API via localhost:8080/api.
ROOT_SECRETno[random]apiThe root secret is the password for the root user. If you start with an empty blockchain, the root user is needed to add other users, approve new nodes,.. If you don't set a value via the environment variable, the API generates one randomly and prints it to the console
Caution: If you want to run TruBudget in production, make sure to set a secure root secret.
BLOCKCHAIN_PORTno8085api/bcThe Port of the blockchain where the server is available for incoming http connections (e.g. readiness, versions, backup and restore)
MULTICHAIN_RPC_PASSWORDno[hardcoded]api/bcPassword used by the API to connect to the blockchain. The password is set by the origin node upon start. Every beta node needs to use the same RPC password in order to be able to connect to the blockchain.
Hint: Although the MULTICHAIN_RPC_PASSWORD is not required it is highly recommended to set an own secure one
MULTICHAIN_RPC_PORTno8000api/bcThe port used to expose the multichain daemon of your TruBudget blockchain installation(bc) for RPC connections. The port used to connect to the api of the multichain daemon. This will be used internally for the communication between the API and the multichain daemon.
MULTICHAIN_RPC_USERnomultichainrpcapi/bcThe user used to connect to the multichain daemon.
MULTICHAIN_FEED_ENABLEDnofalsebcIf set to true the multichain-feed go script in src/multichain-feed/multichain-feed is passed to the mutlichain daemon and executed in a separate process.
BUILDTIMESTAMPnobcThe /version endpoint returns this variable as buildTimeStamp property
BLOCKNOTIFY_SCRIPTnobcConfigure the blocknotifiy argument of the multichain configuration like -blocknotify=[BLOCKNOTIFY_SCRIPT]
AUTOSTARTnotruebcIf set to false multichain daemon will not start automatically.
RPC_ALLOW_IPno0.0.0.0/0bcIt refers to an allowed IP address range, given either by IP or CIDR notation. 0.0.0.0/0 will allow access from anywhere.
EXTERNAL_IPnobcThe EXTERNAL_IP option is the IP address with which the current node can be reached. The variable is forwarded to the multichain daemon as externalip argument. This will be reported to other nodes in the Trubudget network. By default, daemon will try to automatically detect an external IP address. However, this might not always be accurate, especially if a node is behind a NAT or a firewall. By using EXTERNAL_IP, you can manually specify the IP. This can be useful if you want to ensure that your node is reachable at a specific address. If your node is not actually reachable at the specified IP address (e.g. because of a firewall), other nodes might not be able to connect to it.
Example: If you have a VM running on 22.22.22.22 and you want to start a beta node from this VM to connect to an alpha running on 11.11.11.11, you set EXTERNAL_IP to 11.11.11.11 on alpha node and 22.22.22.22 on beta node.
NODE_ENVyesdevelopment or productionbcEnvironment: Default development when running development-script. Production when running production-script
CERT_PATHnobcThe path to the certificate used by the blockchain to authenticate with the connection peer. Note that self-signed certificates are not allowed in production environments. More information can be found here
CERT_CA_PATHnobcThe path to the certificate authority root certificate by the blockchain to authenticate with the connection peer. Note that self-signed certificates are not allowed in production environments.More information can be found here
CERT_KEY_PATHnobcThe path to the certificate key used by the blockchain to authenticate with the connection peer. More information can be found here
ACCESS_CONTROL_ALLOW_ORIGINno"*"bc/api/excel/storage/emailSince the services use CORS, the domain by which it can be called needs to be set. Setting this value to "*" means that it can be called from any domain. Read more about this topic here.
MULTICHAIN_DIRno/rootbcThe path to the multichain folder where the blockchain data is persisted. For installations via docker compose, this refers to the path within the docker container of the blockchain. For bare metal installations, this refers to the path on the machine the blockchain is running on.
PRETTY_PRINTnotrue*Decides whether the logs printed by services are pretty printed or not. Pretty printed logs are easier to read while non-pretty printed logs are easier to store and use e.g. in the ELK (Elasticsearch-Logstash-Kabana) stack.
TAGnomainscriptsThe tag defines the version of the image that is pulled from the docker hub.
NODE_ENVnoui/apiIf set to development search Trubudget's external services on localhost, api will allow any string as password. If set to production disable Redux devtools extension.
REACT_APP_VERSIONnouiInjected version via $npm_package_version in.env file to ensure the version is shown in the frontend
INLINE_RUNTIME_CHUNKnofalsefrontendScripts that are injected by React will not be injected inline but as script with src="...". Important for being able to enforce a stricter Content Security Policy
REACT_APP_EMAIL_SERVICE_ENABLEDnofalseuiWhen enabled, the frontend requests a email-service readiness call when entering the login screen.
If true the email section in the user-profile is enabled
EMAIL_HOSTno-uiIP address of the email notification service
EMAIL_PORTno8890uiPort of the email notification service
REACT_APP_EXPORT_SERVICE_ENABLEDnofalseuiIf true the frontend requests a export-service readiness call when entering the login screen and
the export button is shown at the side navbar
EXPORT_HOSTno-uiIP address of the excel export service
EXPORT_PORTno8888uiPort of the excel export service
REACT_APP_LOGGINGnofalseuiWhen enabled, the log/error messages on the frontend are send back to the frontend-collector
REACT_APP_LOG_LEVELnotraceuiValues are: info or error or trace. When set to trace all state transitions of the ui are logged to console & sent back to the frontend-collector
REACT_APP_LOGGING_SERVICE_HOSTnolocalhostuiHost of the frontend-collector
REACT_APP_LOGGING_SERVICE_PORTno3000uiPort on which the frontend-collector is listening
REACT_APP_LOGGING_SERVICE_HOST_SSLnofalseuiDefines whether the frontend logger uses SSL to communicate with the frontend-collector. When used in production, SSL must be enabled!
REACT_APP_LOGGING_PUSH_INTERVALno20uiDefines in which intervals the collected log-messages should be push to the frontend-collector (in seconds).
DB_TYPEnopgemailType of database. A supported list can be found in the Database Configuration section
DB_NAMEnotrubudget_email_serviceemailName of the database
DB_USERnopostgresemailUser name for connected database
DB_PASSWORDnotestemailPassword for connected database
DB_HOSTnolocalhostemailIP of connected database
DB_PORTno5432emailPort of connected database
DB_SCHEMAnopublicemailSchema of connected database
DB_SSLnofalseemailIf true the DB connection is using the SSL protocol
USER_TABLEnousersemailName of the table which is created if the first email address is inserted
SMTP_USERnotestuseremailThis is forwarded to the auth prop of the nodemailer's transport-options, to authenticate with the credentials of the configured SMTP server
SMTP_PASSWORDnotestemailIP of external SMTP-Server used to actually send notification emails
SMTP_HOSTnolocalhostemailIP of external SMTP-Server used to actually send notification emails
SMTP_PORTno2500emailPort of external SMTP-Server
SMTP_SSLnofalseemailIf true the external SMTP-Server connection is using the SSL protocol
SQL_DEBUGnofalseemailThe SQL Debug option is forwarded to the knex configuration
EMAIL_FROMnoTrubudget Notification Service👻emailThis is injected into the from field of the email notification
EMAIL_SUBJECTnoTrubudget NotificationemailThis is injected into the subject field of the email notification
EMAIL_TEXTnoYou have received a notification.emailThis is injected into the body of the email notification
LOG_LEVELnoinfoallDefines the log output. Supported levels are trace, debug, info, warn, error, fatal
SIGNING_METHODnonodeapiPossible signing methods are: node and user. Transactions on the chain will be signed using either the address of the node or the address of the specific user publishing that transaction.
ENCRYPTION_PASSWORDno-apiIf set, all data that is send to the MultiChain node and external storage will be symmetrically encrypted by the ENCRYPTION_PASSWORD
JWT_SECRETno- (required)emailA secret of min length of 32 - It is used to verify the JWT_TOKEN sent by users of the email-service endpoints
AUTHENTICATIONnoJWTemailIf set to none, no JWT-Token is required for all endpoints. If set JWT, a JWT token is necessary
DOCUMENT_FEATURE_ENABLEDnofalseapiIf true, all uploaded documents are stored using trubudget's storage-service. If false, the document feature of TruBudget is disabled, and trying to upload a document will result in an error.
DOCUMENT_EXTERNAL_LINKS_ENABLEDnofalseapiIf true, it is possible to use external documents links also without trubudget's storage-service. If false, the external documents links feature of TruBudget is still possible to use in case DOCUMENT_FEATURE_ENABLED equals "true".
STORAGE_SERVICE_HOSTnolocalhoststorageIP address of storage service
STORAGE_SERVICE_PORTno8090storagePort of storage service
STORAGE_SERVICE_EXTERNAL_URLno-apiIP and port of own connected storage service accessible externally
STORAGE_PROVIDERminioSet to azure-storage if you use Azure Storage Account, otherwise defaults to minio
MINIO_ACCESS_KEYnominiostorageAccess key for Minio server
MINIO_SECRET_KEYnominio123storageSecret (Password) for Minio server
MINIO_PORTno9000storagePort of connected Minio
MINIO_HOSTnolocalhoststorageIP address of connected Minio server
MINIO_BUCKET_NAMEnotrubudgetstorageBucket name of the connected Minio server
MINIO_REGIONus-east-1Region where the bucket is created. This parameter is optional. Default value is us-east-1.
LOGGER_PORTyes3000loggingPort where the frontend-collector is exposed
API_HOSTyeslocalhostloggingAPI host
API_PORTyes8080loggingAPI port
LOG_LEVELyestraceloggingLog-level
LOGGING_SERVICE_CACHE_DURATIONyes20loggingDefines how long valid JWT should be cached (in minutes).
LOGGING_SERVICE_NODE_ENVyesproductionloggingEnvironment
CI_COMMIT_SHA""bc/api/excel/storage/emailDefines the CI_COMMIT_SHA property returned by the version endpoint.
RATE_LIMITno-apiIf set, API will limit the number of requests from any individual IP address to the set number per minute. Can be set to any number, but shouldn't be set too low.

Kubernetes​

Env VariableRequiredDefault ValueUsed byDescription
EXPOSE_MCnofalsebcIf set to true Trubudget tries to expose it's multichain via kubernetes' ingress. First a kubernetes config file is searched in /.kube/config. If not found and the MC is deployed in a cluster, it is searching for the service account to get the information. After configuration the externalip arg is set to the ip of the service' ingress of the configured clusterSERVICE_NAME and NAMESPACE are required to access the ingress of the service.
KUBE_SERVICE_NAMEnobcThis variable is only required if EXPOSE_MC is set to true. It defines which service the kubernetes client should search for in the configured kubernetes cluster
KUBE_NAMESPACEnobcThis variable is only required if EXPOSE_MC is set to true. It defines in which namespace the kubernetes client should search for the given service