Skip to main content

Environment Variables

This document lists all environment variables used by the application, organized by service.

Infrastructure Management

Environment variables are managed through Terraform and SOPS-encrypted files:

FilePurpose
infra/heroku.tfNon-sensitive config vars
infra/ga-reports-common.envSecrets shared across all environments
infra/ga-reports.envProduction-only secrets
infra/ga-reports-staging.envStaging-only secrets

Core Application

VariableDescriptionSource
SECRET_KEY_BASERails secret key for sessions and attr_encryptedSOPS (env-specific)
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEYActive Record encryption primary keyTerraform random password (env-specific)
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEYActive Record encryption deterministic keyTerraform random password (env-specific)
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALTActive Record encryption key derivation saltTerraform random password (env-specific)
DATABASE_URLPostgreSQL connection stringHeroku addon
REDIS_URLRedis connection stringHeroku addon
REDIS_TIMEOUTRedis connect/read/write timeout in seconds (default: 3)Optional
MEMCACHIER_SERVERSMemcached servers for the production cache storeHeroku addon (MemCachier)
MEMCACHIER_USERNAMEMemcached usernameHeroku addon (MemCachier)
MEMCACHIER_PASSWORDMemcached passwordHeroku addon (MemCachier)
LOG_LEVELApplication log levelTerraform (common)
RAILS_SERVE_STATIC_FILESServe static files from RailsTerraform (common)

Payment Processing

Stripe

VariableDescriptionSource
STRIPE_PUBLISHABLE_KEYStripe public key for frontendSOPS (env-specific)
STRIPE_SECRET_KEYStripe API secret keySOPS (env-specific)
STRIPE_WEBHOOK_SECRET_V2Webhook signing secretSOPS (env-specific)
STRIPE_API_VERSIONPinned Stripe API version (default: 2019-03-14)Optional

PayPal

VariableDescriptionSource
PAYPAL_ACCOUNTDefault PayPal receiver emailTerraform (env-specific)
PAYPAL_ACCOUNT_SISlovenian PayPal accountTerraform (env-specific)

Donations Module

VariableDescriptionSource
DONATIONS_HOSTHostname for donations emailsTerraform (env-specific)
DONATIONS_PROPERTYGoogle Analytics property IDTerraform (env-specific)
DONATIONS_SUBDOMAINSubdomain routing constraint for the donations module (default: subscriptions)Terraform (staging only)

External Services

AWS (S3 Storage)

VariableDescriptionSource
AWS_REGIONAWS regionSOPS (common)
AWS_ACCESS_KEY_IDAWS access keySOPS (common)
AWS_SECRET_ACCESS_KEYAWS secret keySOPS (common)
VariableDescriptionSource
ALGOLIA_APPLICATION_IDAlgolia application IDTerraform (env-specific)
ALGOLIA_API_KEYAlgolia admin API keySOPS (env-specific)
ALGOLIA_SEARCH_ONLY_API_KEYAlgolia search-only keySOPS (common)

SendGrid (Email)

VariableDescriptionSource
SENDGRID_API_KEYSendGrid API keySOPS (env-specific)
SENDGRID_PASSWORDSendGrid SMTP passwordSOPS (production)
SENDGRID_USERNAMESendGrid SMTP username (always "apikey")Terraform (common)
EMAIL_SENDERDefault sender email addressTerraform (common)

OneSignal (Push Notifications)

VariableDescriptionSource
ONE_SIGNAL_ORG_KEYOneSignal organization API key (used by OrgAPI to list apps and provision v2 keys)SOPS (common)

Slack

VariableDescriptionSource
SLACK_CAMPAIGNS_WEBHOOKWebhook for campaign notificationsSOPS (common)

Open Exchange Rates

VariableDescriptionSource
OXR_API_KEYOpen Exchange Rates API keySOPS (common)

Magnificat

VariableDescriptionSource
MAGNIFICAT_URLMagnificat webservice URLTerraform (common)

Dailymotion (production only)

VariableDescriptionSource
DAILYMOTION_CLIENT_IDDailymotion API client IDSOPS (production)
DAILYMOTION_CLIENT_SECRETDailymotion API client secretSOPS (production)

IP Info

VariableDescriptionSource
IP_INFO_TOKENIP geolocation API tokenSOPS (common)

Authentication

Google OAuth

VariableDescriptionSource
GOOGLE_OAUTH_CLIENT_IDGoogle OAuth client IDSOPS (common)
GOOGLE_OAUTH_CLIENT_SECRETGoogle OAuth client secretSOPS (common)

Facebook

Used only by FacebookScrapeJob to force Open Graph re-scrapes of published articles via the Graph API. There is no Facebook login. The Meta app can stay in development mode: app-token scrape calls work without a live review.

VariableDescriptionSource
FACEBOOK_APP_IDFacebook application IDSOPS (env-specific)
FACEBOOK_APP_SECRETFacebook application secretSOPS (env-specific)

TikTok

VariableDescriptionSource
TIKTOK_CLIENT_KEYTikTok client keySOPS (common)
TIKTOK_CLIENT_SECRETTikTok client secretSOPS (common)

Firebase

VariableDescriptionSource
GOOGLE_APPLICATION_CREDENTIALSFirebase service account JSONTerraform (env-specific)
FIREBASE_CONTINUE_URLOAuth redirect URLTerraform (env-specific)

WordPress Integration

VariableDescriptionSource
WP_PRE_SHARED_KEYPre-shared key for JWT auth (falls back to secret_key_base)SOPS (common)
WORDPRESS_USERNAMEWordPress API usernameSOPS (common)
WORDPRESS_PASSWORDWordPress API passwordSOPS (env-specific)
WORDPRESS_USE_PRODUCTIONForce production WordPress backends outside production (staging backends are used by default in dev/staging)Optional
PRAYER_POST_UPDATESEnable updating already-published prayer posts (default: true)Optional

Monitoring

Rollbar

VariableDescriptionSource
ROLLBAR_ACCESS_TOKENServer-side access tokenSOPS (common)
ROLLBAR_CLIENT_TOKENClient-side access tokenSOPS (common)
ROLLBAR_ENVEnvironment nameTerraform (staging)

Datadog

VariableDescriptionSource
DD_API_KEYDatadog API keySOPS (common)
DD_ENVEnvironment nameTerraform (env-specific)
DD_TRACE_ENABLEDEnable APM tracingTerraform (production)
DD_SERVICEService nameTerraform (common)
DD_SITEDatadog site (datadoghq.eu)Terraform (common)

Note: Additional Datadog variables are set by the Heroku buildpack.

Performance

VariableDescriptionSource
WEB_CONCURRENCYNumber of Puma workersTerraform (env-specific)
WORKER_CONCURRENCYSidekiq worker threadsTerraform (production)
RAILS_MAX_THREADSPuma threads per workerTerraform (staging)
RAILS_MIN_THREADSPuma minimum threads (default: same as RAILS_MAX_THREADS)Optional

Application Settings

VariableDescriptionSource
CORS_DOMAINAllowed CORS domainTerraform (common)
ALLOWED_SCRAPER_DOMAINDomain for scraper accessTerraform (common)
ASSETS_HOSTCDN hostname for assets (falls back to <HEROKU_APP_NAME>.herokuapp.com)Terraform (env-specific)
HEROKU_APP_NAMEHeroku app name, used as fallback for ASSETS_HOSTHeroku runtime
MAILER_HOSTHost for links in emails and download URLs (default: downloads.aleteia.org)Terraform (staging only)
PICTURES_REPORT_RECIPIENTEmail for picture reportsTerraform (production)
RACK_ATTACK_BLOCKED_IPSComma-separated list of IPs blocked at application levelOptional
RACK_ATTACK_SUBSCRIPTIONS_LIMITThrottle limit per IP per minute on POST /subscriptions (default: 5)Optional
SWAGGER_USERBasic auth username for /api-docs (default: ale)Optional
SWAGGER_PASSBasic auth password for /api-docs (default: teia)Optional

Development Variables

These are only needed for local development (see example.env):

VariableDefaultDescription
POSTGRES_HOST127.0.0.1PostgreSQL host
POSTGRES_PORT5432PostgreSQL port
POSTGRES_USERpostgresPostgreSQL user
POSTGRES_PASSWORDpostgresPostgreSQL password
PGGSSENCMODEdisableRequired on macOS to avoid Spring segfaults

Debug Toggles

Set any of these (any non-empty value) to enable verbose output while debugging:

VariableDescription
NETWORK_DEBUGHTTParty debug output for JSON API clients
OAUTH_DEBUGHTTParty debug output for Dailymotion and TikTok OAuth flows
FACEBOOK_DEBUGKoala (Facebook Graph API) debug output
AUTH_DEBUGLog level for the Avo AuthorizationService
BACKTRACEShow full unsilenced backtraces

Deprecated Variables

The following variables have been removed and should be unset from Heroku:

VariableReason
CLOUDINARY_CLOUD_NAMECloudinary integration removed
CLOUDINARY_API_KEYCloudinary integration removed
CLOUDINARY_API_SECRETCloudinary integration removed
GENDER_API_KEYGender API integration removed
LOCALEAPP_KEYLocaleApp integration removed
NEW_RELIC_LICENSE_KEYNew Relic agent disabled
NEW_RELIC_DISTRIBUTED_TRACING_ENABLEDNew Relic agent disabled
NEW_RELIC_LOGNew Relic agent disabled
SENDINBLUE_API_KEYSendinblue integration removed
TOPTEN_PROFILETopTen integration removed
TOPTEN_PROFILE_ALETEIATopTen integration removed
TOPTEN_PROFILE_FORHERTopTen integration removed
OPTIMIZER_CONTAINERGoogle Optimizer removed
RECAPTCHA_V3_SITE_KEYreCAPTCHA integration removed
RECAPTCHA_V3_SECRET_KEYreCAPTCHA integration removed
RECAPTCHA_SITE_KEYreCAPTCHA integration removed
RECAPTCHA_SECRET_KEYreCAPTCHA integration removed
MAILCHIMP_API_KEYMailchimp integration removed
FACEBOOK_REALTIME_VERIFY_TOKENFacebook webhook verification removed
IGNORE_SCRAPE_ERRORSFlag removed — Facebook scrape errors are now always swallowed
SIDEKIQ_USERNAMESidekiq Web UI auth removed
SIDEKIQ_PASSWORDSidekiq Web UI auth removed
RAILS_MASTER_KEYRails encrypted credentials no longer used — all secrets come from environment variables
ONE_SIGNAL_APP_IDOneSignal v1 client removed — only ONE_SIGNAL_ORG_KEY is read
ONE_SIGNAL_REST_KEYOneSignal v1 client removed — only ONE_SIGNAL_ORG_KEY is read
ONE_SIGNAL_USER_KEYOneSignal v1 client removed — only ONE_SIGNAL_ORG_KEY is read

Migration from Rails Secrets

As of this version, the application uses environment variables instead of config/secrets.yml.enc.

Key Changes

  1. All Rails.application.secrets.key! calls replaced with ENV.fetch('KEY')
  2. attr_encrypted models use Rails.application.secret_key_base.first(32) for encryption
  3. Optional secrets use ENV['KEY'] without fetch

Encryption Key Compatibility

The SECRET_KEY_BASE must remain consistent across deployments to decrypt existing attr_encrypted data. If changed, encrypted fields in the following models will become unreadable:

  • Tiktok::Account.access_token and refresh_token

Likewise, the ACTIVE_RECORD_ENCRYPTION_* keys must remain consistent to decrypt Active Record encrypted attributes (e.g. OneSignalApplication.v2_api_key).