This document lists all environment variables used by the application, organized by service.
Infrastructure Management
Environment variables are managed through Terraform and SOPS-encrypted files:
| File | Purpose |
|---|
infra/heroku.tf | Non-sensitive config vars |
infra/ga-reports-common.env | Secrets shared across all environments |
infra/ga-reports.env | Production-only secrets |
infra/ga-reports-staging.env | Staging-only secrets |
Core Application
| Variable | Description | Source |
|---|
SECRET_KEY_BASE | Rails secret key for sessions and attr_encrypted | SOPS (env-specific) |
RAILS_MASTER_KEY | Rails credentials master key | SOPS (production) |
DATABASE_URL | PostgreSQL connection string | Heroku addon |
REDIS_URL | Redis connection string | Heroku addon |
LOG_LEVEL | Application log level | Terraform (common) |
RAILS_SERVE_STATIC_FILES | Serve static files from Rails | Terraform (common) |
Payment Processing
Stripe
| Variable | Description | Source |
|---|
STRIPE_PUBLISHABLE_KEY | Stripe public key for frontend | SOPS (env-specific) |
STRIPE_SECRET_KEY | Stripe API secret key | SOPS (env-specific) |
STRIPE_WEBHOOK_SECRET_V2 | Webhook signing secret | SOPS (env-specific) |
PayPal
| Variable | Description | Source |
|---|
PAYPAL_ACCOUNT | Default PayPal receiver email | Terraform (env-specific) |
PAYPAL_ACCOUNT_SI | Slovenian PayPal account | Terraform (env-specific) |
Donations Module
| Variable | Description | Source |
|---|
DONATIONS_HOST | Hostname for donations emails | Terraform (env-specific) |
DONATIONS_PROPERTY | Google Analytics property ID | Terraform (env-specific) |
reCAPTCHA
| Variable | Description | Source |
|---|
RECAPTCHA_SITE_KEY | reCAPTCHA v3 site key | SOPS (common) |
RECAPTCHA_SECRET_KEY | reCAPTCHA v3 secret key | SOPS (common) |
External Services
AWS (S3 Storage)
| Variable | Description | Source |
|---|
AWS_REGION | AWS region | SOPS (common) |
AWS_ACCESS_KEY_ID | AWS access key | SOPS (common) |
AWS_SECRET_ACCESS_KEY | AWS secret key | SOPS (common) |
Algolia (Search)
| Variable | Description | Source |
|---|
ALGOLIA_APPLICATION_ID | Algolia application ID | Terraform (env-specific) |
ALGOLIA_API_KEY | Algolia admin API key | SOPS (env-specific) |
ALGOLIA_SEARCH_ONLY_API_KEY | Algolia search-only key | SOPS (common) |
SendGrid (Email)
| Variable | Description | Source |
|---|
SENDGRID_API_KEY | SendGrid API key | SOPS (env-specific) |
SENDGRID_PASSWORD | SendGrid SMTP password | SOPS (production) |
SENDGRID_USERNAME | SendGrid SMTP username (always "apikey") | Terraform (common) |
EMAIL_SENDER | Default sender email address | Terraform (common) |
OneSignal (Push Notifications)
| Variable | Description | Source |
|---|
ONE_SIGNAL_APP_ID | OneSignal application ID | SOPS (common) |
ONE_SIGNAL_REST_KEY | OneSignal REST API key | SOPS (env-specific) |
ONE_SIGNAL_USER_KEY | OneSignal user key | SOPS (env-specific) |
Slack
| Variable | Description | Source |
|---|
SLACK_CAMPAIGNS_WEBHOOK | Webhook for campaign notifications | SOPS (common) |
Open Exchange Rates
| Variable | Description | Source |
|---|
OXR_API_KEY | Open Exchange Rates API key | SOPS (common) |
Magnificat
| Variable | Description | Source |
|---|
MAGNIFICAT_URL | Magnificat webservice URL | Terraform (common) |
Dailymotion (production only)
| Variable | Description | Source |
|---|
DAILYMOTION_CLIENT_ID | Dailymotion API client ID | SOPS (production) |
DAILYMOTION_CLIENT_SECRET | Dailymotion API client secret | SOPS (production) |
IP Info
| Variable | Description | Source |
|---|
IP_INFO_TOKEN | IP geolocation API token | SOPS (common) |
Authentication
Google OAuth
| Variable | Description | Source |
|---|
GOOGLE_OAUTH_CLIENT_ID | Google OAuth client ID | SOPS (common) |
GOOGLE_OAUTH_CLIENT_SECRET | Google OAuth client secret | SOPS (common) |
Facebook
| Variable | Description | Source |
|---|
FACEBOOK_APP_ID | Facebook application ID | SOPS (env-specific) |
FACEBOOK_APP_SECRET | Facebook application secret | SOPS (env-specific) |
TikTok
| Variable | Description | Source |
|---|
TIKTOK_CLIENT_KEY | TikTok client key | SOPS (common) |
TIKTOK_CLIENT_SECRET | TikTok client secret | SOPS (common) |
Firebase
| Variable | Description | Source |
|---|
GOOGLE_APPLICATION_CREDENTIALS | Firebase service account JSON | Terraform (env-specific) |
FIREBASE_CONTINUE_URL | OAuth redirect URL | Terraform (env-specific) |
WordPress Integration
| Variable | Description | Source |
|---|
WP_PRE_SHARED_KEY | Pre-shared key for JWT auth | SOPS (common) |
WORDPRESS_USERNAME | WordPress API username | SOPS (common) |
WORDPRESS_PASSWORD | WordPress API password | SOPS (env-specific) |
Monitoring
Rollbar
| Variable | Description | Source |
|---|
ROLLBAR_ACCESS_TOKEN | Server-side access token | SOPS (common) |
ROLLBAR_CLIENT_TOKEN | Client-side access token | SOPS (common) |
ROLLBAR_ENV | Environment name | Terraform (staging) |
Datadog
| Variable | Description | Source |
|---|
DD_API_KEY | Datadog API key | SOPS (common) |
DD_ENV | Environment name | Terraform (env-specific) |
DD_TRACE_ENABLED | Enable APM tracing | Terraform (production) |
DD_SERVICE | Service name | Terraform (common) |
DD_SITE | Datadog site (datadoghq.eu) | Terraform (common) |
Note: Additional Datadog variables are set by the Heroku buildpack.
| Variable | Description | Source |
|---|
WEB_CONCURRENCY | Number of Puma workers | Terraform (env-specific) |
WORKER_CONCURRENCY | Sidekiq worker threads | Terraform (production) |
RAILS_MAX_THREADS | Puma threads per worker | Terraform (staging) |
Application Settings
| Variable | Description | Source |
|---|
CORS_DOMAIN | Allowed CORS domain | Terraform (common) |
ALLOWED_SCRAPER_DOMAIN | Domain for scraper access | Terraform (common) |
ASSETS_HOST | CDN hostname for assets | Terraform (env-specific) |
IGNORE_SCRAPE_ERRORS | Skip scraper errors | Terraform (production) |
PICTURES_REPORT_RECIPIENT | Email for picture reports | Terraform (production) |
Development Variables
These are only needed for local development (see example.env):
| Variable | Default | Description |
|---|
POSTGRES_HOST | 127.0.0.1 | PostgreSQL host |
POSTGRES_PORT | 5432 | PostgreSQL port |
POSTGRES_USER | postgres | PostgreSQL user |
POSTGRES_PASSWORD | postgres | PostgreSQL password |
PGGSSENCMODE | disable | Required on macOS to avoid Spring segfaults |
Deprecated Variables
The following variables have been removed and should be unset from Heroku:
| Variable | Reason |
|---|
CLOUDINARY_CLOUD_NAME | Cloudinary integration removed |
CLOUDINARY_API_KEY | Cloudinary integration removed |
CLOUDINARY_API_SECRET | Cloudinary integration removed |
GENDER_API_KEY | Gender API integration removed |
LOCALEAPP_KEY | LocaleApp integration removed |
NEW_RELIC_LICENSE_KEY | New Relic agent disabled |
NEW_RELIC_DISTRIBUTED_TRACING_ENABLED | New Relic agent disabled |
NEW_RELIC_LOG | New Relic agent disabled |
SENDINBLUE_API_KEY | Sendinblue integration removed |
TOPTEN_PROFILE | TopTen integration removed |
TOPTEN_PROFILE_ALETEIA | TopTen integration removed |
TOPTEN_PROFILE_FORHER | TopTen integration removed |
OPTIMIZER_CONTAINER | Google Optimizer removed |
RECAPTCHA_V3_SITE_KEY | Consolidated into RECAPTCHA_SITE_KEY |
RECAPTCHA_V3_SECRET_KEY | Consolidated into RECAPTCHA_SECRET_KEY |
MAILCHIMP_API_KEY | Mailchimp integration removed |
FACEBOOK_REALTIME_VERIFY_TOKEN | Facebook webhook verification removed |
SIDEKIQ_USERNAME | Sidekiq Web UI auth removed |
SIDEKIQ_PASSWORD | Sidekiq Web UI auth removed |
Migration from Rails Secrets
As of this version, the application uses environment variables instead of config/secrets.yml.enc.
Key Changes
- All
Rails.application.secrets.key! calls replaced with ENV.fetch('KEY')
attr_encrypted models use Rails.application.secret_key_base.first(32) for encryption- Optional secrets use
ENV['KEY'] without fetch
Encryption Key Compatibility
The SECRET_KEY_BASE must remain consistent across deployments to decrypt existing attr_encrypted data. If changed, encrypted fields in the following models will become unreadable:
User.long_lived_facebook_tokenTiktok::Account.access_token and refresh_tokenOneSignalApplication.basic_auth_key