This document lists all environment variables used by the application, organized by service.
Infrastructure Management
Environment variables are managed through Terraform and SOPS-encrypted files:
| File | Purpose |
|---|
infra/heroku.tf | Non-sensitive config vars |
infra/ga-reports-common.env | Secrets shared across all environments |
infra/ga-reports.env | Production-only secrets |
infra/ga-reports-staging.env | Staging-only secrets |
Core Application
| Variable | Description | Source |
|---|
SECRET_KEY_BASE | Rails secret key for sessions and attr_encrypted | SOPS (env-specific) |
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY | Active Record encryption primary key | Terraform random password (env-specific) |
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY | Active Record encryption deterministic key | Terraform random password (env-specific) |
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT | Active Record encryption key derivation salt | Terraform random password (env-specific) |
DATABASE_URL | PostgreSQL connection string | Heroku addon |
REDIS_URL | Redis connection string | Heroku addon |
REDIS_TIMEOUT | Redis connect/read/write timeout in seconds (default: 3) | Optional |
MEMCACHIER_SERVERS | Memcached servers for the production cache store | Heroku addon (MemCachier) |
MEMCACHIER_USERNAME | Memcached username | Heroku addon (MemCachier) |
MEMCACHIER_PASSWORD | Memcached password | Heroku addon (MemCachier) |
LOG_LEVEL | Application log level | Terraform (common) |
RAILS_SERVE_STATIC_FILES | Serve static files from Rails | Terraform (common) |
Payment Processing
Stripe
| Variable | Description | Source |
|---|
STRIPE_PUBLISHABLE_KEY | Stripe public key for frontend | SOPS (env-specific) |
STRIPE_SECRET_KEY | Stripe API secret key | SOPS (env-specific) |
STRIPE_WEBHOOK_SECRET_V2 | Webhook signing secret | SOPS (env-specific) |
STRIPE_API_VERSION | Pinned Stripe API version (default: 2019-03-14) | Optional |
PayPal
| Variable | Description | Source |
|---|
PAYPAL_ACCOUNT | Default PayPal receiver email | Terraform (env-specific) |
PAYPAL_ACCOUNT_SI | Slovenian PayPal account | Terraform (env-specific) |
Donations Module
| Variable | Description | Source |
|---|
DONATIONS_HOST | Hostname for donations emails | Terraform (env-specific) |
DONATIONS_PROPERTY | Google Analytics property ID | Terraform (env-specific) |
DONATIONS_SUBDOMAIN | Subdomain routing constraint for the donations module (default: subscriptions) | Terraform (staging only) |
External Services
AWS (S3 Storage)
| Variable | Description | Source |
|---|
AWS_REGION | AWS region | SOPS (common) |
AWS_ACCESS_KEY_ID | AWS access key | SOPS (common) |
AWS_SECRET_ACCESS_KEY | AWS secret key | SOPS (common) |
Algolia (Search)
| Variable | Description | Source |
|---|
ALGOLIA_APPLICATION_ID | Algolia application ID | Terraform (env-specific) |
ALGOLIA_API_KEY | Algolia admin API key | SOPS (env-specific) |
ALGOLIA_SEARCH_ONLY_API_KEY | Algolia search-only key | SOPS (common) |
SendGrid (Email)
| Variable | Description | Source |
|---|
SENDGRID_API_KEY | SendGrid API key | SOPS (env-specific) |
SENDGRID_PASSWORD | SendGrid SMTP password | SOPS (production) |
SENDGRID_USERNAME | SendGrid SMTP username (always "apikey") | Terraform (common) |
EMAIL_SENDER | Default sender email address | Terraform (common) |
OneSignal (Push Notifications)
| Variable | Description | Source |
|---|
ONE_SIGNAL_ORG_KEY | OneSignal organization API key (used by OrgAPI to list apps and provision v2 keys) | SOPS (common) |
Slack
| Variable | Description | Source |
|---|
SLACK_CAMPAIGNS_WEBHOOK | Webhook for campaign notifications | SOPS (common) |
Open Exchange Rates
| Variable | Description | Source |
|---|
OXR_API_KEY | Open Exchange Rates API key | SOPS (common) |
Magnificat
| Variable | Description | Source |
|---|
MAGNIFICAT_URL | Magnificat webservice URL | Terraform (common) |
Dailymotion (production only)
| Variable | Description | Source |
|---|
DAILYMOTION_CLIENT_ID | Dailymotion API client ID | SOPS (production) |
DAILYMOTION_CLIENT_SECRET | Dailymotion API client secret | SOPS (production) |
IP Info
| Variable | Description | Source |
|---|
IP_INFO_TOKEN | IP geolocation API token | SOPS (common) |
Authentication
Google OAuth
| Variable | Description | Source |
|---|
GOOGLE_OAUTH_CLIENT_ID | Google OAuth client ID | SOPS (common) |
GOOGLE_OAUTH_CLIENT_SECRET | Google OAuth client secret | SOPS (common) |
Facebook
Used only by FacebookScrapeJob to force Open Graph re-scrapes of published articles via the Graph API. There is no Facebook login. The Meta app can stay in development mode: app-token scrape calls work without a live review.
| Variable | Description | Source |
|---|
FACEBOOK_APP_ID | Facebook application ID | SOPS (env-specific) |
FACEBOOK_APP_SECRET | Facebook application secret | SOPS (env-specific) |
TikTok
| Variable | Description | Source |
|---|
TIKTOK_CLIENT_KEY | TikTok client key | SOPS (common) |
TIKTOK_CLIENT_SECRET | TikTok client secret | SOPS (common) |
Firebase
| Variable | Description | Source |
|---|
GOOGLE_APPLICATION_CREDENTIALS | Firebase service account JSON | Terraform (env-specific) |
FIREBASE_CONTINUE_URL | OAuth redirect URL | Terraform (env-specific) |
WordPress Integration
| Variable | Description | Source |
|---|
WP_PRE_SHARED_KEY | Pre-shared key for JWT auth (falls back to secret_key_base) | SOPS (common) |
WORDPRESS_USERNAME | WordPress API username | SOPS (common) |
WORDPRESS_PASSWORD | WordPress API password | SOPS (env-specific) |
WORDPRESS_USE_PRODUCTION | Force production WordPress backends outside production (staging backends are used by default in dev/staging) | Optional |
PRAYER_POST_UPDATES | Enable updating already-published prayer posts (default: true) | Optional |
Monitoring
Rollbar
| Variable | Description | Source |
|---|
ROLLBAR_ACCESS_TOKEN | Server-side access token | SOPS (common) |
ROLLBAR_CLIENT_TOKEN | Client-side access token | SOPS (common) |
ROLLBAR_ENV | Environment name | Terraform (staging) |
Datadog
| Variable | Description | Source |
|---|
DD_API_KEY | Datadog API key | SOPS (common) |
DD_ENV | Environment name | Terraform (env-specific) |
DD_TRACE_ENABLED | Enable APM tracing | Terraform (production) |
DD_SERVICE | Service name | Terraform (common) |
DD_SITE | Datadog site (datadoghq.eu) | Terraform (common) |
Note: Additional Datadog variables are set by the Heroku buildpack.
| Variable | Description | Source |
|---|
WEB_CONCURRENCY | Number of Puma workers | Terraform (env-specific) |
WORKER_CONCURRENCY | Sidekiq worker threads | Terraform (production) |
RAILS_MAX_THREADS | Puma threads per worker | Terraform (staging) |
RAILS_MIN_THREADS | Puma minimum threads (default: same as RAILS_MAX_THREADS) | Optional |
Application Settings
| Variable | Description | Source |
|---|
CORS_DOMAIN | Allowed CORS domain | Terraform (common) |
ALLOWED_SCRAPER_DOMAIN | Domain for scraper access | Terraform (common) |
ASSETS_HOST | CDN hostname for assets (falls back to <HEROKU_APP_NAME>.herokuapp.com) | Terraform (env-specific) |
HEROKU_APP_NAME | Heroku app name, used as fallback for ASSETS_HOST | Heroku runtime |
MAILER_HOST | Host for links in emails and download URLs (default: downloads.aleteia.org) | Terraform (staging only) |
PICTURES_REPORT_RECIPIENT | Email for picture reports | Terraform (production) |
RACK_ATTACK_BLOCKED_IPS | Comma-separated list of IPs blocked at application level | Optional |
RACK_ATTACK_SUBSCRIPTIONS_LIMIT | Throttle limit per IP per minute on POST /subscriptions (default: 5) | Optional |
SWAGGER_USER | Basic auth username for /api-docs (default: ale) | Optional |
SWAGGER_PASS | Basic auth password for /api-docs (default: teia) | Optional |
Development Variables
These are only needed for local development (see example.env):
| Variable | Default | Description |
|---|
POSTGRES_HOST | 127.0.0.1 | PostgreSQL host |
POSTGRES_PORT | 5432 | PostgreSQL port |
POSTGRES_USER | postgres | PostgreSQL user |
POSTGRES_PASSWORD | postgres | PostgreSQL password |
PGGSSENCMODE | disable | Required on macOS to avoid Spring segfaults |
Debug Toggles
Set any of these (any non-empty value) to enable verbose output while debugging:
| Variable | Description |
|---|
NETWORK_DEBUG | HTTParty debug output for JSON API clients |
OAUTH_DEBUG | HTTParty debug output for Dailymotion and TikTok OAuth flows |
FACEBOOK_DEBUG | Koala (Facebook Graph API) debug output |
AUTH_DEBUG | Log level for the Avo AuthorizationService |
BACKTRACE | Show full unsilenced backtraces |
Deprecated Variables
The following variables have been removed and should be unset from Heroku:
| Variable | Reason |
|---|
CLOUDINARY_CLOUD_NAME | Cloudinary integration removed |
CLOUDINARY_API_KEY | Cloudinary integration removed |
CLOUDINARY_API_SECRET | Cloudinary integration removed |
GENDER_API_KEY | Gender API integration removed |
LOCALEAPP_KEY | LocaleApp integration removed |
NEW_RELIC_LICENSE_KEY | New Relic agent disabled |
NEW_RELIC_DISTRIBUTED_TRACING_ENABLED | New Relic agent disabled |
NEW_RELIC_LOG | New Relic agent disabled |
SENDINBLUE_API_KEY | Sendinblue integration removed |
TOPTEN_PROFILE | TopTen integration removed |
TOPTEN_PROFILE_ALETEIA | TopTen integration removed |
TOPTEN_PROFILE_FORHER | TopTen integration removed |
OPTIMIZER_CONTAINER | Google Optimizer removed |
RECAPTCHA_V3_SITE_KEY | reCAPTCHA integration removed |
RECAPTCHA_V3_SECRET_KEY | reCAPTCHA integration removed |
RECAPTCHA_SITE_KEY | reCAPTCHA integration removed |
RECAPTCHA_SECRET_KEY | reCAPTCHA integration removed |
MAILCHIMP_API_KEY | Mailchimp integration removed |
FACEBOOK_REALTIME_VERIFY_TOKEN | Facebook webhook verification removed |
IGNORE_SCRAPE_ERRORS | Flag removed — Facebook scrape errors are now always swallowed |
SIDEKIQ_USERNAME | Sidekiq Web UI auth removed |
SIDEKIQ_PASSWORD | Sidekiq Web UI auth removed |
RAILS_MASTER_KEY | Rails encrypted credentials no longer used — all secrets come from environment variables |
ONE_SIGNAL_APP_ID | OneSignal v1 client removed — only ONE_SIGNAL_ORG_KEY is read |
ONE_SIGNAL_REST_KEY | OneSignal v1 client removed — only ONE_SIGNAL_ORG_KEY is read |
ONE_SIGNAL_USER_KEY | OneSignal v1 client removed — only ONE_SIGNAL_ORG_KEY is read |
Migration from Rails Secrets
As of this version, the application uses environment variables instead of config/secrets.yml.enc.
Key Changes
- All
Rails.application.secrets.key! calls replaced with ENV.fetch('KEY')
attr_encrypted models use Rails.application.secret_key_base.first(32) for encryption
- Optional secrets use
ENV['KEY'] without fetch
Encryption Key Compatibility
The SECRET_KEY_BASE must remain consistent across deployments to decrypt existing attr_encrypted data. If changed, encrypted fields in the following models will become unreadable:
Tiktok::Account.access_token and refresh_token
Likewise, the ACTIVE_RECORD_ENCRYPTION_* keys must remain consistent to decrypt Active Record encrypted attributes (e.g. OneSignalApplication.v2_api_key).