# 4.3.4.1 Environment secrets and variables explained ### **Global repository secrets**
ParameterDescription
DOCKER_USERNAMEYour Dockerhub username to access the container registry. If you are using a different container registry, you will need to manually edit the deploy.yml appropriately.
DOCKER_TOKENYour Dockerhub access token.
DOCKERHUB_ACCOUNTThe name of your Dockerhub account or organisation that forms the URL to your country config docker image on Dockerhub before the slash. e.g: opencrvs
DOCKERHUB_REPOThe name of your Dockerhub repository that forms the URL to your country config docker image on Dockerhub after the slash.. e.g. ocrvs-farajaland
GH_TOKENThe personal Github Token used in all Action runners.
GH_ENCRYPTION_PASSWORDUsing the Github Token, a password is created that allows automated actions to access the secrets from other environments. This occurs during provisioning so that the production, backup and staging environments use the same BACKUP_ENCRYPTION_PASSPHRASE.
### **Environment secrets** | Secret | Description | | ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | BACKUP\_ENCRYPTION\_PASSPHRASE | This is the password that is used to encrypt all the backups that OpenCRVS creates from a production server and that are stored on the **backup** server. Use this passphrase to decrypt the backups. | | ELASTICSEARCH\_SUPERUSER\_PASSWORD | The Elasticsearch superuser password. You can also use this to login to Kibana with the username "**elastic**" and you have superuser Elastic privileges. Kibana URL: \ | | KIBANA\_USERNAME | A username for a regular Kibana user to login and monitor OpenCRVS stack health. Useful for developers as this user will have no superuser privileges. | | KIBANA\_PASSWORD | A password for a regular Kibana user to login and monitor OpenCRVS stack health | | MONGODB\_ADMIN\_USER | The MongoDB superuser admin username. A powerful account that has all rights to OpenCRVS data | | MONGODB\_ADMIN\_PASSWORD | The MongoDB superuser admin password. | | MINIO\_ROOT\_USER | A username for a Minio superuser admin to login to the Minio console to view supporting document attachments submitted during registrations. \ | | MINIO\_ROOT\_PASSWORD | A password for a Minio superuser admin | | SMTP\_HOST | | | SMTP\_PORT | | | SMTP\_USERNAME | | | SMTP\_PASSWORD | | | SMTP\_SECURE | Whether or not your SMTP port requires TLS | | ALERT\_EMAIL | Email address or Slack channel address to send system technical alerts to. | | SENDER\_EMAIL\_ADDRESS | The sender email address that appears in all emails will need to be configured. | | SSH\_KEY | This is a copy of the **id\_rsa** file for the SSH Key, not the id\_rsa.pub! | | SSH\_USER | Equal to "provision" | | OPENCRVS\_METABASE\_ADMIN\_EMAIL | Email address for metabase admin panel login | | OPENCRVS\_METABASE\_ADMIN\_PASSWORD | Password for metabase admin panel login | ### Environment variables | Variable | Description | | ------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | REPLICAS | The number of replicas: **1, 2, 3 or 5** depending on how many servers are in the environment cluster | | DOMAIN | The host **domain name** (without www!) for your environment. | | CONTENT\_SECURITY\_POLICY\_WILDCARD | This string is supplied to the clients and nginx config and ensures that the format of your domain above can be configurable for CORS purposes. | | ACTIVATE\_USERS | When users are seeded, are they immediately active using a test password and six zeros as a 2-Factor auth code. Always false in production and staging. | | AUTH\_HOST, CLIENT\_APP\_URL, COUNTRY\_CONFIG\_HOST, GATEWAY\_HOST, LOGIN\_URL | URLs passed to docker-compose to support internal microservice comms. | | DISK\_SPACE | The amount of disk space set aside for encrypted PII data stored by OpenCRVS | | NOTIFICATION\_TRANSPORT | A prop which can be used to configure either Email or SMS for staff and beneficiary comms or potentially both. | | SSH\_HOST, SSH\_PORT, SSH\_ARGS | Arguments that are passed to the SSH command to access the server as the **provision** user | ### **Optional environment secrets**
ParameterDescription
SENTRY_DSNOpenCRVS can report application errors to Sentry in order to help you debug any issues in production.
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.opencrvs.org/v1.6/setup/3.-installation/3.3-set-up-a-server-hosted-environment/4.3.4-create-a-github-environment/4.3.4.1-environment-secrets-and-variables-explained.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.