Installation
Deployment Environment Variables
Minimal environment variables used by installation guides, with links to the full reference.
Deployment Environment Variables
This page lists the variables most operators need during installation. For the full catalog, see Environment Variables Reference.
Required core variables
| Variable | Purpose |
|---|---|
DB_URL | JDBC URL for PostgreSQL, usually jdbc:postgresql://postgres:5432/quotenode inside Docker Compose. |
DB_NAME | PostgreSQL database name. |
DB_USERNAME | PostgreSQL application user. |
DB_PASSWORD | PostgreSQL password. Use a long random value. |
DB_ENCRYPTION_KEY | 64-character hex key for application-level encryption. Back it up securely. |
TIMING_TOKEN_SECRET | HMAC secret for timing-token security checks. |
PUBLIC_LINK_PASSWORD_SESSION_SECRET | Secret for password/PIN-protected public-link sessions. |
CORS_ALLOWED_ORIGINS | Exact browser origins allowed to call the backend. |
The install guides fill these secrets with random values in your browser (the ↻ New secrets button regenerates them). To generate them yourself on Linux/macOS instead:
openssl rand -hex 32 # → DB_ENCRYPTION_KEY
openssl rand -base64 32 # → TIMING_TOKEN_SECRET
openssl rand -base64 32 # → PUBLIC_LINK_PASSWORD_SESSION_SECRET
openssl rand -base64 24 # → DB_PASSWORD
Public URL variables
| Variable | Purpose |
|---|---|
CORS_ALLOWED_ORIGINS | Must match the browser URL exactly, for example https://crm.example.com. |
NOTIFICATIONS_PUBLIC_PREFERENCES_URL | Public URL for notification preference links, for example https://crm.example.com/notifications/preferences. |
DOMAIN | Used by internal-proxy Docker Compose deployments. Coolify normally manages domains outside the app. |
SERVICE_URL_FRONTEND | Optional compatibility variable for operator templates and future deployment automation; the current Coolify compose file does not consume it directly. Keep it aligned with the frontend origin if your deployment uses it. |
Email variables
| Variable | Purpose |
|---|---|
SMTP_HOST | SMTP server hostname. |
SMTP_PORT | SMTP port, usually 587. |
SMTP_USERNAME | SMTP account username. |
SMTP_PASSWORD | SMTP password or app password. |
SMTP_AUTH | Usually true for production SMTP. |
SMTP_STARTTLS | Usually true for port 587. |
NOTIFICATIONS_ENABLED | Enables notifications. |
NOTIFICATIONS_EMAIL_ENABLED | Enables email delivery for notifications. |
PDF, backup, and security variables
| Variable | Recommended beta value | Notes |
|---|---|---|
PDF_ENABLED | true | Requires Gotenberg in the stack. |
FEATURE_2FA_ENABLED | true | Enables two-factor authentication flows. |
SECURITY_BOT_DETECTION_ENABLED | true | Keeps public-link bot protections active. |
SECURITY_TRUSTED_PROXIES | empty (auto-detected) | Extra trusted reverse-proxy peers (literal IP/CIDR and/or service hostnames). Usually leave empty: the client IP is auto-detected behind internal proxies (private/loopback ranges) and CDNs such as Cloudflare (via CF-Connecting-IP). Set this only for an unusual proxy whose transport peer is a public address. Forwarded headers from a direct (non-internal) peer are always ignored. Verify the resolver mode at Admin → Security → effective state. |
SECURITY_IP_WHITELIST | empty | Optional operator IP allow-list (comma-separated IP/CIDR). When enabled it gates the full admin surface, including the login and 2FA screens. Authoritative over the in-app setting and enforced at startup (no auto-rollback — confirm your own address is covered). |
SECURITY_IP_WHITELIST_FORCE_DISABLE | false | Break-glass: set true + restart to recover from an IP-whitelist lockout (including being unable to log in). ENV-only. |
SECURITY_IP_WHITELIST_CONFIRMATION_WINDOW_SECONDS | 120 | How long an in-app whitelist enable/narrow stays pending before it auto-rolls back to the previous list if your session does not re-confirm (lockout safety). Does not apply to the env var above. |
BACKUP_ENABLED | true for production, optional for first local trial | Use with a tested restore process. |
BACKUP_CRON | 0 0 2 * * * | Daily 02:00 by default. |
GEOIP_ENABLED | false | Country-enforcement switch only — also the break-glass switch. The database loads and auto-updates independently (see GEOIP_AUTO_UPDATE), so it can be ready while enforcement is off. Set false + restart to recover from a GeoIP country lockout — this disables enforcement reliably, regardless of whether a database is present. |
SECURITY_GEOIP_ALLOWED_COUNTRIES | empty | ISO 3166-1 alpha-2 allow-list (e.g. PL,DE); uppercased and validated. Empty = no restriction. |
LOG_LEVEL | INFO for first deploy, lower later if needed | Use admin diagnostics for temporary escalation. |
Release check variables
| Variable | Purpose |
|---|---|
VITE_RELEASE_CHECK_ENABLED | Enables admin-only upstream release checks. |
VITE_RELEASE_MANIFEST_URL | Defaults to https://quotenode.dev/releases/latest.json. |
APP_VERSION | Release version or image tag. May be empty for source deployments. |
APP_CHANNEL | alpha, beta, rc, dev, or stable. |
APP_COMMIT_SHA | Commit SHA embedded in build metadata when available. |
APP_BUILD_TIME | Build timestamp. |
APP_BUILD_NUMBER | CI build number. |
APP_SOURCE_REF | Source branch or tag. |
APP_IMAGE_TAG | Image tag selected by the deployment. |
License safety
Never enable signature bypass in a real deployment:
LICENSE_SKIP_SIGNATURE_CHECK=false
Set this explicitly to false in production and beta environments. The compose file defaults to false when omitted, but real deployments should not rely on an implicit default for a license-safety control. Use true only in disposable local development environments.