# 4.3.4.1 Environment secrets and variables explained

### **Global repository secrets**

<table><thead><tr><th width="295">Parameter</th><th>Description</th></tr></thead><tbody><tr><td>DOCKER_USERNAME</td><td>Your <a href="https://hub.docker.com/">Dockerhub</a> username to access the container registry. If you are using a different container registry, you will need to manually edit the deploy.yml appropriately.</td></tr><tr><td>DOCKER_TOKEN</td><td>Your <a href="https://hub.docker.com/">Dockerhub</a> access token.</td></tr><tr><td>DOCKERHUB_ACCOUNT</td><td>The name of your Dockerhub account or organisation that forms the URL to your country config docker image on Dockerhub <em><strong>before</strong></em> the slash. e.g: <strong>opencrvs</strong></td></tr><tr><td>DOCKERHUB_REPO</td><td>The name of your Dockerhub repository that forms the URL to your country config docker image on Dockerhub <em><strong>after</strong></em> the slash.. e.g. <strong>ocrvs-farajaland</strong></td></tr><tr><td>GH_TOKEN</td><td>The personal Github Token used in all Action runners.</td></tr><tr><td>GH_ENCRYPTION_PASSWORD</td><td>Using the Github Token, a password is created that allows automated actions to access the secrets from other environments. This occurs during provisioning so that the <strong>production, backup</strong> and <strong>staging</strong> environments use the same BACKUP_ENCRYPTION_PASSPHRASE.</td></tr></tbody></table>

### **Environment secrets**

| Secret                              | Description                                                                                                                                                                                              |
| ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| BACKUP\_ENCRYPTION\_PASSPHRASE      | This is the password that is used to encrypt all the backups that OpenCRVS creates from a production server and that are stored on the **backup** server.  Use this passphrase to decrypt the backups.   |
| ELASTICSEARCH\_SUPERUSER\_PASSWORD  | The Elasticsearch superuser password. You can also use this to login to Kibana with the username "**elastic**" and you have superuser Elastic privileges. Kibana URL: <https://kibana.\\>\<your\_domain> |
| KIBANA\_USERNAME                    | A username for a regular Kibana user to login and monitor OpenCRVS stack health. Useful for developers as this user will have no superuser privileges.                                                   |
| KIBANA\_PASSWORD                    | A password for a regular Kibana user to login and monitor OpenCRVS stack health                                                                                                                          |
| MONGODB\_ADMIN\_USER                | The MongoDB superuser admin username. A powerful account that has all rights to OpenCRVS data                                                                                                            |
| MONGODB\_ADMIN\_PASSWORD            | The MongoDB superuser admin password.                                                                                                                                                                    |
| MINIO\_ROOT\_USER                   | A username for a Minio superuser admin to login to the Minio console to view supporting document attachments submitted during registrations. <https://minio-console.\\>\<your\_domain>                   |
| MINIO\_ROOT\_PASSWORD               | A password for a Minio superuser admin                                                                                                                                                                   |
| SMTP\_HOST                          |                                                                                                                                                                                                          |
| SMTP\_PORT                          |                                                                                                                                                                                                          |
| SMTP\_USERNAME                      |                                                                                                                                                                                                          |
| SMTP\_PASSWORD                      |                                                                                                                                                                                                          |
| SMTP\_SECURE                        | Whether or not your SMTP port requires TLS                                                                                                                                                               |
| ALERT\_EMAIL                        | Email address or Slack channel address to send system technical alerts to.                                                                                                                               |
| SENDER\_EMAIL\_ADDRESS              | The sender email address that appears in all emails will need to be configured.                                                                                                                          |
| SSH\_KEY                            | This is a copy of the **id\_rsa** file for the SSH Key, not the id\_rsa.pub!                                                                                                                             |
| SSH\_USER                           | Equal to "provision"                                                                                                                                                                                     |
| OPENCRVS\_METABASE\_ADMIN\_EMAIL    | Email address for metabase admin panel login                                                                                                                                                             |
| OPENCRVS\_METABASE\_ADMIN\_PASSWORD | Password for metabase admin panel login                                                                                                                                                                  |

### Environment variables

| Variable                                                                       | Description                                                                                                                                              |
| ------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
| REPLICAS                                                                       | The number of replicas: **1, 2, 3 or 5** depending on how many servers are in the environment cluster                                                    |
| DOMAIN                                                                         | The host **domain name** (without www!) for your environment.                                                                                            |
| CONTENT\_SECURITY\_POLICY\_WILDCARD                                            | This string is supplied to the clients and nginx config and ensures that the format of your domain above can be configurable for CORS purposes.          |
| ACTIVATE\_USERS                                                                | When users are seeded, are they immediately active using a test password and six zeros as a 2-Factor auth code.  Always false in production and staging. |
| AUTH\_HOST, CLIENT\_APP\_URL, COUNTRY\_CONFIG\_HOST, GATEWAY\_HOST, LOGIN\_URL | URLs passed to docker-compose to support internal microservice comms.                                                                                    |
| DISK\_SPACE                                                                    | The amount of disk space set aside for encrypted PII data stored by OpenCRVS                                                                             |
| NOTIFICATION\_TRANSPORT                                                        | A prop which can be used to configure either Email or SMS for staff and beneficiary comms or potentially both.                                           |
| SSH\_HOST, SSH\_PORT, SSH\_ARGS                                                | Arguments that are passed to the SSH command to access the server as the **provision** user                                                              |

### **Optional environment secrets**

<table><thead><tr><th width="371">Parameter</th><th>Description</th></tr></thead><tbody><tr><td>SENTRY_DSN</td><td>OpenCRVS can report application errors to <a href="https://sentry.io/">Sentry</a> in order to help you debug any issues in production.</td></tr></tbody></table>
Parameter	Description
DOCKER_USERNAME	Your Dockerhub username to access the container registry. If you are using a different container registry, you will need to manually edit the deploy.yml appropriately.
DOCKER_TOKEN	Your Dockerhub access token.
DOCKERHUB_ACCOUNT	The name of your Dockerhub account or organisation that forms the URL to your country config docker image on Dockerhub before the slash. e.g: opencrvs
DOCKERHUB_REPO	The name of your Dockerhub repository that forms the URL to your country config docker image on Dockerhub after the slash.. e.g. ocrvs-farajaland
GH_TOKEN	The personal Github Token used in all Action runners.
GH_ENCRYPTION_PASSWORD	Using the Github Token, a password is created that allows automated actions to access the secrets from other environments. This occurs during provisioning so that the production, backup and staging environments use the same BACKUP_ENCRYPTION_PASSPHRASE.