# ───────────────────────────────────────────────────────────────────────────── # FlatRender — PRODUCTION ENV_FILE template (server: 171.22.25.73, behind mirror-nginx) # # This is the content of the Gitea repo secret ENV_FILE. # https://git.soroushasadi.com/soroushdes/flatrender/settings/secrets # The deploy job writes this verbatim to `.env`, which docker compose reads. # # TLS + domain routing is handled by the existing central mirror-nginx (it owns # 80/443). FlatRender does NOT run Caddy here — it publishes host ports and # mirror-nginx reverse-proxies the domains to them (see deploy/README.md). # # Fill every . Generate secrets with: openssl rand -hex 32 # Changing a NEXT_PUBLIC_* value requires a redeploy (baked into the frontend build). # ───────────────────────────────────────────────────────────────────────────── # ── Host-port binding ──────────────────────────────────────────────────────── # Internal services (postgres, render) stay on loopback. The three nginx-facing # services publish on all interfaces so mirror-nginx can reach 171.22.25.73:PORT. HOST_BIND=127.0.0.1 EDGE_BIND=0.0.0.0 # nginx-facing host ports (must be free on 171.22.25.73 — :3000 is Gitea, avoid it). FRONTEND_PORT=1600 GATEWAY_PORT=1605 PAY_PORT=1607 MINIO_PORT=1610 MINIO_CONSOLE_PORT=1611 # ── Browser-facing URLs (served by mirror-nginx over HTTPS; baked into frontend) ─ NEXT_PUBLIC_SITE_URL=https://flatrender.ir NEXT_PUBLIC_API_URL=https://api.flatrender.ir/v1 NEXT_PUBLIC_MINIO_URL=https://storage.flatrender.ir NEXT_PUBLIC_TENANT_SLUG=flatrender CORS_ORIGIN=https://flatrender.ir # ── Core secrets ───────────────────────────────────────────────────────────── JWT_SECRET= SERVICE_TOKEN= NODE_HMAC_SECRET= JWT_ACCESS_MINUTES=1440 # ── Postgres ───────────────────────────────────────────────────────────────── POSTGRES_USER=flatrender POSTGRES_PASSWORD= # ── MinIO (object storage) ─────────────────────────────────────────────────── MINIO_ACCESS_KEY= MINIO_SECRET_KEY= MINIO_BUCKET=flatrender-exports MINIO_TEMPLATES_BUCKET=flatrender-templates MINIO_UPLOAD_BUCKET=user-uploads # render-svc signs presigned URLs for the public storage domain (HTTPS via nginx): MINIO_HOST_ENDPOINT=storage.flatrender.ir MINIO_HOST_USE_SSL=true # ── Render farm ────────────────────────────────────────────────────────────── # No AE node on the server → keep the dev worker OFF (it would mock-complete jobs). # Disable rendering in Admin → فارم رندر → موتور رندر so users see an "unavailable" notice. RENDER_DEV_WORKER=false RENDER_DEV_SNAPSHOTS=false # ── Payment broker (pay.flatrender.ir) ─────────────────────────────────────── # Standalone ZarinPal gateway shared by FlatRender + meezi.ir + bargevasat.ir. # ZARINPAL_MERCHANT_ID below is the SHARED merchant (verified domain = pay.flatrender.ir). PAY_PUBLIC_URL=https://pay.flatrender.ir # Unit ZarinPal expects in `amount`: "rial" (official v4) or "toman". # ⚠️ Your identity service historically sends Toman — confirm with one sandbox # payment which unit YOUR merchant settles in, then set this to match. ZARINPAL_AMOUNT_UNIT=rial # FlatRender's OWN plan purchases through the broker. Create a "flatrender" client # app in Admin → پرداخت (allowed origin https://api.flatrender.ir), then paste its # key+secret here. Empty ⇒ identity calls ZarinPal directly (legacy). FLATPAY_FLATRENDER_API_KEY= FLATPAY_FLATRENDER_SECRET= FLATPAY_RETURN_BASE=https://api.flatrender.ir # ── Payments (fill the providers you use; leave others blank) ──────────────── STRIPE_SECRET_KEY= STRIPE_WEBHOOK_SECRET= STRIPE_PUBLISHABLE_KEY= # Shared ZarinPal merchant — used by BOTH the identity service and the pay broker. ZARINPAL_MERCHANT_ID= ZARINPAL_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/zarinpal ZARINPAL_SANDBOX=false SNAPPAY_CLIENT_ID= SNAPPAY_CLIENT_SECRET= SNAPPAY_BASE_URL=https://api.snappay.ir SNAPPAY_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/snappay TARA_API_KEY= TARA_BASE_URL=https://api.tara.ir TARA_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/tara