= Environment Variables We try to let most of the things defined through Environment Variables, as https://12factor.net/config[12factor applications's config]. You will need to configure through your hosting provider (for example in Heroku), through a gem like `figaro` or through docker-compose `env_file`. This is an extensive list of all the Env variables supported for an application created with the default `decidim` generator (ie: `decidim my-application`). Custom applications may modify or customize the default decidim initializer (`config/initializers/decidim.rb`) in such a a way that this will have no effect. Finally, take into account that there are some config variables not available as Env vars, this is because it is not enough to set them in order to make that particular feature to work, it requires the user to add some custom code (usually a service class that acts a wrapper for an external API). These are the case for initializers such as `sms_gateway_service`, `timestamp_service`, `pdf_signature_service` or `machine_translation_service`. For more information about these extra services check the xref:configure:initializer.adoc[Initializer documentation]. The next tables show all the default Env Vars available when running a default Decidim application (note that customized Decidim apps might differ). The ones marked in *bold* are the minimal required to run a production server. The ones marked as _italic_ are only required for development. .Required Decidim Env Vars [%autowidth.stretch] |=== |Name |Value |Default value|Multitenant's System configurable |_DATABASE_HOST_ |Hostname for the Postgres database. |localhost |No |_DATABASE_PASSWORD_ |Password for the Postgres database | |No |_DATABASE_PORT_ |Port for the Postgres database. |5432 |No |_DATABASE_USERNAME_ |Username for the Postgres database. Note that database name is autogenerated in development mode thus there is no config var here. | |No |*DATABASE_URL* |For production environments database needs to be defined as a string following the scheme: `postgres://USERNAME:PASSWORD@HOST/DATABASE_NAME`` | |No |*RAILS_ENV* |Environment for Ruby on Rails. If it is on your local machine for development, then it should be `development`. If it is on server it should be `production`. Please take care that this has security implications. You DO NOT want to be running a production application on development mode. |development |No |*SECRET_KEY_BASE* |Secret key base for the Application. It is specially important that this is kept secret from the outside word; do NOT publish it on GitHub/GitLab/BitBucket. | |No |*SMTP_ADDRESS* |Hostname for the SMTP server, for sending emails. See xref:services:smtp.adoc[SMTP] | |*Yes* |*SMTP_DOMAIN* |Domain for the SMTP server, for sending emails. See xref:services:smtp.adoc[SMTP] | |*Yes* |*SMTP_PASSWORD* |Password for the SMTP server, for sending emails. See xref:services:smtp.adoc[SMTP] | |*Yes* |*SMTP_USERNAME* |Username for the SMTP server, for sending emails. See xref:services:smtp.adoc[SMTP] | |*Yes* |*DECIDIM_APPLICATION_NAME* |Default name (shown in the browser's title status and search engines) for the Decidim instance. |My Application Name |*Yes* |*DECIDIM_MAILER_SENDER* |Default Reply email for any email sent (transactional or newsletters). |change-me@example.org |*Yes* |SMTP_PORT |Port for the SMTP server, for sending emails. See xref:services:smtp.adoc[SMTP] |587 |*Yes* |SMTP_STARTTLS_AUTO |Automatically use STARTTLS protocol for the SMTP server, for sending emails. See xref:services:smtp.adoc[SMTP] |true |*Yes* |SMTP_AUTHENTICATION |Type of authentication for the SMTP server, for sending emails. See xref:services:smtp.adoc[SMTP] |plain |*Yes* |QUEUE_ADAPTER |Use this var to establish the https://guides.rubyonrails.org/active_job_basics.html#backends[backend used to process jobs] in your application. *Note that every backend requires some additional configuration steps.* *Also take into account that the default value (async) is not suitable for production environments* Common values are `sidekiq` and `delayed_job`. If you decide to use `sidekiq`, you can easily generate the additional required files with the `--queue` option in the `decidim` generator (delayed_job is not supported yet, but you can easily follow the official instructions). - Check the https://github.com/collectiveidea/delayed_job[Delayed Job info] - Check the https://github.com/mperham/sidekiq/wiki[Sidekiq info] |async |No |SIDEKIQ_CONCURRENCY |If you are using `sidekiq` as your job processor backend. You can use this var to tune the number of concurrent sidekiq processes running in parallel (this only applies if you are using the default `config/sidekiq.yml` file generated by the `decidim` generator). *Note that each process consumes a database connection. You need to be sure you infrastructure is properly configured not to exceed the concurrent number of connections that your database supports.* For this matter, check also the RAILS_MAX_THREADS param if you are using Puma. |5 |No |=== If you want to use a cloud provider to storage user uploads. this can be done via next extra configuration variables. Different providers require extra gems to be specified in your Gemfile. You can generate a new application with the appropriated gems with the command `decidim --storage=[provider] my-application`. .Optional Decidim Env Vars for cloud storage settings [%autowidth.stretch] |=== |Name |Value |Default value|Multitenant's System configurable |STORAGE_PROVIDER |Which storage provider is going to be used for the application, provides support for the most popular options. Options are `local`, `s3` (compatible with any AWS-S3 service provider), `azure` (for Microsoft Cloud Storage), `gcs` (Google Cloud Services). *If this setting is set to any other value than `local`, and additional gem for the specified service must be installed in the Gemfile of your application*. See https://edgeguides.rubyonrails.org/active_storage_overview.html#setup[the official Rails guide] for details. |local |No |STORAGE_CDN_HOST |If you are using a cloud provider, having a CDN on top of it is probably a good idea. For instance, using a CloudFront distribution on top of a S3 configuration. But other services can be used as well (you can use https://cloudflare.com[CloudFlare] for free with excellent results). Set the protocol, host and path to your CDN and all the user-generated files (through Active Storage) will be prefixed with this instead of serving files directly from the same domain of your application. *Note that this is not the same as the RAILS_ASSET_HOST var. This other variable is used for static, compiled assets while STORAGE_CDN_HOST is for files dynamically generated within the application by users or admins.* | |No |*AWS_ACCESS_KEY_ID* |If STORAGE_PROVIDER is set to `s3`, define here your AWS KEY ID with permissions to access the bucket for the application. Also, be sure to add the line `gem "aws-sdk-s3", require: false` in your Gemfile. | |No |*AWS_SECRET_ACCESS_KEY* |If STORAGE_PROVIDER is set to `s3`, define here your AWS SECRET KEY with permissions to access the bucket for the application. | |No |*AWS_BUCKET* |If STORAGE_PROVIDER is set to `s3`, define here the bucket used for uploading files and images. | |No |*AWS_REGION* |If STORAGE_PROVIDER is set to `s3`, define here your region (in case your S3 provider requires it, required if `AWS_ENDPOINT` is empty). | |No |*AWS_ENDPOINT* |If STORAGE_PROVIDER is set to `s3`, define here your endpoint (this is mandatory if using any provider that is not AWS, can be empty if using AWS and `AWS_REGION` is specified). | |No |*AZURE_STORAGE_ACCESS_KEY* |If STORAGE_PROVIDER is set to `azure`, define here your AZURE ACCESS KEY with permissions to access the container for the application. Needs to be encoded in Base64. Also, be sure to add the line `gem "azure-storage-blob", require: false` in your Gemfile. | |No |*AZURE_STORAGE_ACCOUNT_NAME* |If STORAGE_PROVIDER is set to `azure`, define here your AZURE ACCOUNT NAME with permissions to access the container for the application. | |No |*AZURE_CONTAINER* |If STORAGE_PROVIDER is set to `azure`, define here your AZURE CONTAINER used for uploading files and images. | |No |*GCS_PROJECT* |If STORAGE_PROVIDER is set to `gcs`, define here your GOOGLE CLOUD PROJECT with permissions to access the bucket for the application. Also, be sure to add the line `gem "google-cloud-storage", "~> 1.11", require: false` in your Gemfile. *GOOGLE CLOUD SERVICES require some amount of parameters. You should be able to extract them from a `keyfile.json` file.* | |No |*GCS_BUCKET* |If STORAGE_PROVIDER is set to `gcs`, define here your GOOGLE CLOUD BUCKET used for uploading files and images. | |No |GCS_TYPE |If STORAGE_PROVIDER is set to `gcs`, define here your GOOGLE CLOUD SERVICE TYPE. |service_account |No |*GCS_PROJECT_ID* |If STORAGE_PROVIDER is set to `gcs`, define here your GOOGLE CLOUD PROJECT ID. | |No |*GCS_PRIVATE_KEY_ID* |If STORAGE_PROVIDER is set to `gcs`, define here your GOOGLE CLOUD PRIVATE KEY ID. | |No |*GCS_PRIVATE_KEY* |If STORAGE_PROVIDER is set to `gcs`, define here your GOOGLE CLOUD PRIVATE KEY. | |No |*GCS_CLIENT_EMAIL* |If STORAGE_PROVIDER is set to `gcs`, define here your GOOGLE CLOUD CLIENT EMAIL. | |No |*GCS_CLIENT_ID* |If STORAGE_PROVIDER is set to `gcs`, define here your GOOGLE CLOUD CLIENT ID. | |No |GCS_AUTH_URI |If STORAGE_PROVIDER is set to `gcs`, define here your GOOGLE CLOUD AUTH URI (if needed) |https://accounts.google.com/o/oauth2/auth |No |GCS_TOKEN_URI |If STORAGE_PROVIDER is set to `gcs`, define here your GOOGLE CLOUD TOKEN URI (if needed) |https://accounts.google.com/o/oauth2/token |No |GCS_AUTH_PROVIDER_X509_CERT_URL |If STORAGE_PROVIDER is set to `gcs`, define here your GOOGLE CLOUD AUTH X509 CERT URI (if needed) |https://www.googleapis.com/oauth2/v1/certs |No |GCS_CLIENT_X509_CERT_URL |If STORAGE_PROVIDER is set to `gcs`, define here your GOOGLE CLOUD X509 CERT URI (if needed) | |No |=== Next variables are additional services such as geolocation, etherpad and other simple integrations. Also some more refined configurations: .Optional Decidim Env Vars for external services integrations [%autowidth.stretch] |=== |Name |Value |Default value|Multitenant's System configurable |MAPS_PROVIDER |For a simple geolocation and tile maps service configuration define this value to one of the supported providers, currently `here` for https://HERE.com[HERE Maps] or `osm` for https://www.openstreetmap.org[OpenStreatMap]. See xref:services:maps.adoc[Maps]. | |No |MAPS_API_KEY |For a simple geolocation and tile maps service configuration define this value in case the provider needs it (if you are using Here Maps, you will need an API key). See xref:services:maps.adoc[Maps]. *Note that if you are using the `here` service you do not need to do anything else. If using `osm` however check the rest of env vars related to maps for a proper configuration* | |No |MAPS_DYNAMIC_URL |If you are using a `osm` as a provider, you need to define this variable. Keep in mind that OpenStreetMap cannot be used directly due its non-commercial license in many cases. See xref:services:maps.adoc[Maps]. *You need to define this variable if using `osm` as a provider, usually the URL goes in the form of `https://tile.openstreetmap.org/\{z}/\{x}/\{y}.png?key=\{apiKey}&\{foo}`* | |No |MAPS_STATIC_URL |If you are using a `osm` as a provider, you need to define this variable. Keep in mind that OpenStreetMap cannot be used directly due its non-commercial license in many cases. See xref:services:maps.adoc[Maps]. *You need to define this variable if using `osm` as a provider, usually the URL goes in the form of `http://staticmap.openstreetmap.de/`* |https://image.maps.ls.hereapi.com/mia/1.6/mapview (only if using Here Maps) |No |MAPS_ATTRIBUTION |If you are using a `osm` as a provider, you need to define this variable. OpenStreeMap requires you to show the credits and that is what this does. See xref:services:maps.adoc[Maps]. *You need to define this variable if using `osm` as a provider, the next text is a pretty common value: `© OpenStreetMap contributors`* | |No |MAPS_EXTRA_VARS |Some providers may require you to send additional variables in the dynamic tile request (custom api keys, secrets, etc). Use this to do that, you can define as many pairs of "variable"/"value" in a URL-encoded string. See xref:services:maps.adoc[Maps]. *Note that to defined this variable might not be necessary in most cases, if you do it must look something like `api_key=true&foo=bar%3Dbaz`* | |No |MAPS_GEOCODING_HOST |If you are using a `osm` as a provider, you need to define this variable to define the geocoder service to to translate addresses into latitude/longitude coordinates. See xref:services:maps.adoc[Maps]. *You need to define this variable if using `osm` as a provider, usually the URL goes in the form of `https://nominatim.openstreetmap.org`* | |No |MAPS_DYNAMIC_PROVIDER |For advanced cases, you can define this value instead or in combination of MAPS_PROVIDER (which will be the default). This allows to set up different providers for the static tile provider than the dynamic. See xref:services:maps.adoc[Maps]. *Note that you do not need to define this variable for the most common, simple, one provider cases.* | |No |MAPS_STATIC_PROVIDER |For advanced cases, you can define this value instead or in combination of MAPS_PROVIDER (which will be the default). This allows to set up different providers for the static tile provider than the dynamic. See xref:services:maps.adoc[Maps]. *Note that you do not need to define this variable for the most common, simple, one provider cases.* | |No |MAPS_STATIC_API_KEY |For advanced cases, you can define this value instead or in combination of MAPS_API_KEY (which will be the default). This allows to set up different providers for the static tile provider than the dynamic requiring different API KEYS. See xref:services:maps.adoc[Maps]. *Note that you do not need to define this variable for the most common, simple, one provider cases.* | |No |MAPS_DYNAMIC_API_KEY |For advanced cases, you can define this value instead or in combination of MAPS_API_KEY (which will be the default). This allows to set up different providers for the static tile provider than the dynamic requiring different API KEYS. See xref:services:maps.adoc[Maps]. *Note that you do not need to define this variable for the most common, simple, one provider cases.* | |No |ETHERPAD_SERVER |URL for an https://etherpad.org/[Etherpad.org] server to integrate in Decidim for collaborative, real time writing events. See xref:services:etherpad.adoc[Etherpad]. | |No |ETHERPAD_API_KEY |API key for communicating with the Etherpad server. See xref:services:etherpad.adoc[Etherpad]. | |No |ETHERPAD_API_VERSION |Etherpad API version, this is unlikely to be needed to be changed. See xref:services:etherpad.adoc[Etherpad]. |1.2.1 |No |OMNIAUTH_FACEBOOK_APP_ID |App ID for enabling access through Facebook.com accounts. See xref:services:social_providers.adoc[Social Providers]. Note that defining this variable automatically renders the "login with" button. | |*Yes* |OMNIAUTH_FACEBOOK_APP_SECRET |App Secret for enabling access through Facebook.com accounts. See xref:services:social_providers.adoc[Social Providers]. | |*Yes* |OMNIAUTH_GOOGLE_CLIENT_ID |Client ID for enabling access through Google.com accounts. See xref:services:social_providers.adoc[Social Providers]. | |*Yes* |OMNIAUTH_GOOGLE_CLIENT_SECRET |Client Secret for enabling access through Google.com accounts. See xref:services:social_providers.adoc[Social Providers]. | |*Yes* |OMNIAUTH_TWITTER_API_KEY |API Key for enabling access through Twitter.com accounts. See xref:services:social_providers.adoc[Social Providers]. | |*Yes* |OMNIAUTH_TWITTER_API_SECRET |API Secret for enabling access through Twitter.com accounts. See xref:services:social_providers.adoc[Social Providers]. | |*Yes* |BULLETIN_BOARD_SERVER |The full URL to identify a https://github.com/decidim/decidim-bulletin-board[Bulletin Board Server]. *It must point to the Graphql API* (ie: https://bulletinboard.example.org/api) See xref:services:elections_bulletin_board.adoc[Elections Bulletin Board]. | |No |BULLETIN_BOARD_PUBLIC_KEY |The public RSA key used to verify the Bulletin Board Server. See xref:services:elections_bulletin_board.adoc[Elections Bulletin Board]. | |No |BULLETIN_BOARD_API_KEY |An additional API key to add additional security with the communications with the Elections Bulletin Board Server. See xref:services:elections_bulletin_board.adoc[Elections Bulletin Board]. | |No |AUTHORITY_NAME |The name of the Authority registered in the Bulletin Board Server corresponding to this Decidim instance. See xref:services:elections_bulletin_board.adoc[Elections Bulletin Board]. | |No |AUTHORITY_PRIVATE_KEY |The private RSA key of this Decidim instance corresponding to the Authority public key registered in the Bulletin Board Server. See xref:services:elections_bulletin_board.adoc[Elections Bulletin Board]. | |No |ELECTIONS_SCHEME_NAME |The type of strategy used in the Bulletin Board Server used for encrypting the Election. *Currently only `electionguard` is available for production* See xref:services:elections_bulletin_board.adoc[Elections Bulletin Board]. |electionguard |No |ELECTIONS_NUMBER_OF_TRUSTEES |Number of trustees for `electionguard` election scheme, minimum number is 2. See xref:services:elections_bulletin_board.adoc[Elections Bulletin Board]. | |No |ELECTIONS_QUORUM |Number of trustees required to be present in order to decrypt an election in case of the `electionguard` scheme. Minimum is 2, maximum the number of trustees. See xref:services:elections_bulletin_board.adoc[Elections Bulletin Board]. | |No |ELECTIONS_SETUP_MINIMUM_HOURS_BEFORE_START |Public Setting that defines how many hours should the setup be run before the election starts |3 |No |ELECTIONS_START_VOTE_MAXIMUM_HOURS_BEFORE_START |Public Setting that defines how many hours the ballot box can be opened before the election starts |6 |No |ELECTIONS_VOTER_TOKEN_EXPIRATION_MINUTES |How long any time of message sent to the bulletin board will be valid for any kind of processing. |120 |No |VOTINGS_CHECK_CENSUS_MAX_REQUESTS |Max requests in a time period to check the census. Only applied in production and test. |5 |No |VOTINGS_THROTTLING_PERIOD |Time window in which the VOTINGS_CHECK_CENSUS_MAX_REQUESTS throttling is applied (in minutes). |1 |No |VOTINGS_CENSUS_ACCESS_CODES_EXPORT_EXPIRY_TIME |How long the census access codes export file will are available in the server (in days) |2 |No |VAPID_PUBLIC_KEY |VAPID public key that will be used to sign the Push API requests. It can be generated running the task: `rails decidim:pwa:generate_vapid_keys` | |No |VAPID_PRIVATE_KEY |VAPID private key that will be used to sign the Push API requests. It can be generated running the task: `rails decidim:pwa:generate_vapid_keys` | |No |=== .Additional Optional Decidim Env Vars for the setting up the application [%autowidth.stretch] |=== |Name |Value |Default value|Multitenant's System configurable |DECIDIM_AVAILABLE_LOCALES |a list of, coma separated, locales that will be available for each organization configured in the System configuration. Check for the https://github.com/decidim/decidim/blob/3d4ec74bdce406e2ee6934b830d3c06398ab72c0/decidim-core/lib/decidim/core.rb#L166[Supported values] in ISO639 format. *Be careful while setting up this value, you can easily shoot yourself in the food as Decidim will crash if one of the languages is not supported* |ca, cs, de, en, es, eu, fi, fr, it, ja, nl, pl, pt, ro |*Partially*, Only when creating a new organization the admin needs to choose between these values |DECIDIM_DEFAULT_LOCALE |The default locale to be used as a fallback (note that, in practice, this value must always be defined in the System configuration for each organization anyway). *Note that `DECIDIM_AVALABLE_LOCALES` must include this value* |en |*Partially*, Only when creating a new organization |DECIDIM_FORCE_SSL |By default, Decidim enforces a SSL connection (https), sometimes it is necessary to disable it in order to handle this through a proxy system (note that use Decidim without SSL at all is NOT RECOMMENDED). This value can take 3 values: `auto`: Will be `true` for Rails Production or Staging environments and `false` for development or test. If undefined, defaults to this value. `true`: Will redirect to HTTPS always `false`: Will not redirect to HTTPS |auto |No |DECIDIM_ENABLE_HTML_HEADER_SNIPPETS |Set to `true` in order to allow administrators to define an arbitrary custom HTML code in the `
` section any Decidim page. The most common use is to integrate third-party services that require some extra JavaScript or CSS. Also, you can use it to add extra meta tags to the HTML. Note that this will only be rendered in public pages, not in the admin section. Before enabling this you should ensure that any tracking that might be done is in accordance with the rules and regulations that apply to your environment and usage scenarios. This component also comes with the risk that an organization's administrator injects malicious scripts to spy on or take over user accounts. | |No |DECIDIM_CURRENCY_UNIT |Currency unit is used in view showing monetary actions, such as budgets. It does not affect any internal calculations. |€ |No |DECIDIM_CORS_ENABLED |The SVG do not support CORS. When using custom asset host different than root url, set this value to `true`, in order to activate the available workaround. |false |No |DECIDIM_IMAGE_UPLOADER_QUALITY |Defines the quality of image uploads after processing. Image uploads are processed by Decidim, this value helps reduce the size of the files. |80 |No |DECIDIM_MAXIMUM_ATTACHMENT_SIZE |The maximum file size of an attachment (in Megabytes). Mind that this depends on your environment, for instance you could also need to change your web server configuration (nginx, apache, etc). |10 |*Yes* |DECIDIM_MAXIMUM_AVATAR_SIZE |The maximum file size for a user avatar (in Megabytes). Mind that this depends on your environment, for instance you could also need to change your web server configuration (nginx, apache, etc). |5 |*Yes* |DECIDIM_MAX_REPORTS_BEFORE_HIDING |The number of reports which a resource can receive before hiding it. This affects moderations for resources such as proposals or users (spammers). |3 |No |DECIDIM_TRACK_NEWSLETTER_LINKS |Allow organizations admins to track newsletter links, trough UTMs. See https://en.wikipedia.org/wiki/UTM_parameters[UTM parameters in Wikipedia]. Set it to `true` or `false`, if undefined defaults to `true`. |true |No |DECIDIM_DOWNLOAD_YOUR_DATA_EXPIRY_TIME |Number of days that the download your data files will be available in the server. |7 |No |DECIDIM_THROTTLING_MAX_REQUESTS |Max requests in a time period to prevent DoS attacks. Only applied on production. Note that this is used by the Gem https://github.com/rack/rack-attack#throttlename-options-block[Rack::Attack] and blocks are based on the detected remote IP. Different proxy configurations (such as load balancers) may affect this, we recommend to read the documentation for this gem. |100 |No |DECIDIM_THROTTLING_PERIOD |Time window (in number of minutes) in which the throttling is applied. |1 |No |DECIDIM_UNCONFIRMED_ACCESS_FOR |Time window (in number of days) were users can access the website even if their email is not confirmed. |0 |No |DECIDIM_SYSTEM_ACCESSLIST_IPS |For extra security, restrict access to the system part with an authorized ip list. You can use a single ip like ``, or an ip subnet like `` You may specify multiple ip in an array, separating by commas, such as `,` | |No |DECIDIM_BASE_UPLOADS_PATH |A base path for the uploads. If set, make sure it ends in a slash. Uploads will be set to `