# Environment secrets and variables explained #### **Global repository secrets**
ParameterDescription
DOCKER_USERNAME

Your Dockerhub username to access the container registry. If you are using a different container registry, you will need to manually edit the deploy.yml at OpenCRVS Countryconfig repository appropriately.

NOTE: Dockerhub is used to store only OpenCRVS Countryconfig docker images. All Core images are stored in GitHub Packages

DOCKER_TOKENYour Dockerhub access token.
DOCKERHUB_ACCOUNTThe name of your Dockerhub account or organisation that forms the URL to your country config docker image on Dockerhub before the slash. e.g: opencrvs
DOCKERHUB_REPOThe name of your Dockerhub repository that forms the URL to your country config docker image on Dockerhub after the slash.. e.g. ocrvs-farajaland
GH_TOKENThe personal Github Token used in all Action runners.
GH_ENCRYPTION_PASSWORDUsing the Github Token, a password is created that allows automated actions to access the secrets from other environments. This occurs during provisioning so that the production, backup and staging environments use the same BACKUP_ENCRYPTION_PASSPHRASE.
#### **Global repository variables** | Variable | Description | | ------------- | -------------------------------------------------------------------------------- | | GH\_APPROVERS | List of valid GitHub accounts to approve deployments for particular environment. | #### **Environment secrets** | Secret | Description | | ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ENCRYPTION\_KEY | A password used to LUKS encrypt the `/data` folder containing OpenCRVS data. | | ELASTICSEARCH\_SUPERUSER\_PASSWORD | The Elasticsearch superuser password. You can also use this to login to Kibana with the username "**elastic**" and you have superuser Elastic privileges. Kibana URL: \ | | KIBANA\_USERNAME | A username for a regular Kibana user to login and monitor OpenCRVS stack health. Useful for developers as this user will have no superuser privileges. | | KIBANA\_PASSWORD | A password for a regular Kibana user to login and monitor OpenCRVS stack health | | MONGODB\_ADMIN\_USER | The MongoDB superuser admin username. A powerful account that has all rights to OpenCRVS data | | MONGODB\_ADMIN\_PASSWORD | The MongoDB superuser admin password. | | MINIO\_ROOT\_USER | A username for a Minio superuser admin to login to the Minio console to view supporting document attachments submitted during registrations. \ | | MINIO\_ROOT\_PASSWORD | A password for a Minio superuser admin | | SMTP\_HOST | | | SMTP\_PORT | | | SMTP\_USERNAME | | | SMTP\_PASSWORD | | | SMTP\_SECURE | Whether or not your SMTP port requires TLS | | ALERT\_EMAIL | Email address or Slack channel address to send system technical alerts to. | | SENDER\_EMAIL\_ADDRESS | The sender email address that appears in all emails will need to be configured. | | OPENCRVS\_METABASE\_ADMIN\_EMAIL | Email address for metabase admin panel login | | OPENCRVS\_METABASE\_ADMIN\_PASSWORD | Password for metabase admin panel login | #### Environment variables | Variable | Description | | ------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DOMAIN | The host **domain name** (without www!) for your environment. | | CONTENT\_SECURITY\_POLICY\_WILDCARD | This string is supplied to the clients and nginx config and ensures that the format of your domain above can be configurable for CORS purposes. | | ACTIVATE\_USERS | When users are seeded, are they immediately active using a test password and six zeros as a 2-Factor auth code. Always false in production and staging. | | AUTH\_HOST, CLIENT\_APP\_URL, COUNTRY\_CONFIG\_HOST, GATEWAY\_HOST, LOGIN\_URL | URLs passed to docker-compose to support internal microservice comms. | | DISK\_SPACE | The amount of disk space set aside for encrypted PII data stored by OpenCRVS | | NOTIFICATION\_TRANSPORT | A prop which can be used to configure either Email or SMS for staff and beneficiary comms or potentially both. | | KUBE\_API\_HOST | Kubernetes API host domain name or IP address | | WORKER\_NODES | Comma separated list of Kubernetes workers nodes, in case you are planning to setup kubernetes cluster with multiple nodes. This property could be left empty for single node setup or you can add worker nodes later. | | APPROVAL\_REQUIRED | Make approval required for this particular environment. If set to true all GitHub workflows will ask for approval, otherwise approval process will be optional even with defined `GH_APPROVERS` list. **NOTE:** "Reset environment" workflow required 3 approvals to proceed, that additional requirement was made for security reasons. Single person is not able to take decision for environment reset. | #### **Optional environment secrets**
ParameterDescription
BACKUP_SERVER_USERUser used to upload backups, users home directory is used as default path for backup. Is used by kubernetes backup jobs
BACKUP_ENCRYPTION_PASSPHRASEBackup encryption passphrase, used only if backup is enabled. This is the password that is used to encrypt all the backups that OpenCRVS creates from a production server and that are stored on the backup server. Use this passphrase to decrypt the backups.
BACKUP_HOST_PUBLIC_KEYssh public key for BACKUP_SERVER_USER , used to authenticate kubernetes backup jobs on backup server
SENTRY_DSNOpenCRVS can report application errors to Sentry in order to help you debug any issues in production.
BACKUP_HOST_PRIVATE_KEYssh private key for BACKUP_SERVER_USER is used for authentication by kubernetes backup jobs
#### **Optional environment variables** | Parameter | Description | | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | BACKUP\_HOST | Backup server, define this property if you would like to manage backup server as part of your environment. Check Backup and restore section for more information how to use configure backup server. Used by kubernetes backup jobs | | BACKUP\_ENVIRONMENT\_MODE | Backup environment mode (full or differential). | | RESTORE\_ENVIRONMENT\_NAME | GitHub environment name used to configure restore on staging line environments. | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.opencrvs.org/v2.0/technical/guides/installation/deploy-set-up-a-server-hosted-environment/create-a-github-environment/environment-secrets-and-variables-explained.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.