Environment Variables
We try to let most of the things defined through Environment Variables, as 12factor applications’s config. You will need to configure through your hosting provider (for example in Heroku), through a gem like figaro
or through docker-compose env_file
.
This is an extensive list of all the Env variables supported for an application created with the default decidim
generator (ie: decidim my-application
). Custom applications may modify or customize the default decidim initializer (config/initializers/decidim.rb
) in such a a way that this will have no effect.
Finally, take into account that there are some config variables not available as Env vars, this is because it is not enough to set them in order to make that particular feature to work, it requires the user to add some custom code (usually a service class that acts a wrapper for an external API). These are the case for initializers such as sms_gateway_service
, timestamp_service
, pdf_signature_service
or machine_translation_service
. For more information about these extra services check the Initializer documentation.
The next tables show all the default Env Vars available when running a default Decidim application (note that customized Decidim apps might differ). The ones marked in bold are the minimal required to run a production server. The ones marked as italic are only required for development.
Name | Value | Default value | Multitenant’s System configurable |
---|---|---|---|
DATABASE_HOST |
Hostname for the Postgres database. |
localhost |
No |
DATABASE_PASSWORD |
Password for the Postgres database |
No |
|
DATABASE_PORT |
Port for the Postgres database. |
5432 |
No |
DATABASE_USERNAME |
Username for the Postgres database. Note that database name is autogenerated in development mode thus there is no config var here. |
No |
|
DATABASE_URL |
For production environments database needs to be defined as a string following the scheme: |
No |
|
RAILS_ENV |
Environment for Ruby on Rails. If it is on your local machine for development, then it should be |
development |
No |
SECRET_KEY_BASE |
Secret key base for the Application. It is specially important that this is kept secret from the outside word; do NOT publish it on GitHub/GitLab/BitBucket. |
No |
|
SMTP_ADDRESS |
Hostname for the SMTP server, for sending emails. See SMTP |
Yes |
|
SMTP_DOMAIN |
Domain for the SMTP server, for sending emails. See SMTP |
Yes |
|
SMTP_PASSWORD |
Password for the SMTP server, for sending emails. See SMTP |
Yes |
|
SMTP_USERNAME |
Username for the SMTP server, for sending emails. See SMTP |
Yes |
|
DECIDIM_APPLICATION_NAME |
Default name (shown in the browser’s title status and search engines) for the Decidim instance. |
My Application Name |
Yes |
DECIDIM_MAILER_SENDER |
Default Reply email for any email sent (transactional or newsletters). |
Yes |
|
SMTP_PORT |
Port for the SMTP server, for sending emails. See SMTP |
587 |
Yes |
SMTP_STARTTLS_AUTO |
Automatically use STARTTLS protocol for the SMTP server, for sending emails. See SMTP |
true |
Yes |
SMTP_AUTHENTICATION |
Type of authentication for the SMTP server, for sending emails. See SMTP |
plain |
Yes |
QUEUE_ADAPTER |
Use this var to establish the backend used to process jobs in your application. Note that every backend requires some additional configuration steps. Also take into account that the default value (async) is not suitable for production environments Common values are If you decide to use - Check the Delayed Job info - Check the Sidekiq info |
async |
No |
SIDEKIQ_CONCURRENCY |
If you are using Note that each process consumes a database connection. You need to be sure you infrastructure is properly configured not to exceed the concurrent number of connections that your database supports. For this matter, check also the RAILS_MAX_THREADS param if you are using Puma. |
5 |
No |
If you want to use a cloud provider to storage user uploads. this can be done via next extra configuration variables.
Different providers require extra gems to be specified in your Gemfile. You can generate a new application with the appropriated gems with the command decidim --storage=[provider] my-application
.
Name | Value | Default value | Multitenant’s System configurable |
---|---|---|---|
STORAGE_PROVIDER |
Which storage provider is going to be used for the application, provides support for the most popular options. Options are If this setting is set to any other value than |
local |
No |
STORAGE_CDN_HOST |
If you are using a cloud provider, having a CDN on top of it is probably a good idea. For instance, using a CloudFront distribution on top of a S3 configuration. But other services can be used as well (you can use CloudFlare for free with excellent results). Set the protocol, host and path to your CDN and all the user-generated files (through Active Storage) will be prefixed with this instead of serving files directly from the same domain of your application. Note that this is not the same as the RAILS_ASSET_HOST var. This other variable is used for static, compiled assets while STORAGE_CDN_HOST is for files dynamically generated within the application by users or admins. |
No |
|
AWS_ACCESS_KEY_ID |
If STORAGE_PROVIDER is set to Also, be sure to add the line |
No |
|
AWS_SECRET_ACCESS_KEY |
If STORAGE_PROVIDER is set to |
No |
|
AWS_BUCKET |
If STORAGE_PROVIDER is set to |
No |
|
AWS_REGION |
If STORAGE_PROVIDER is set to |
No |
|
AWS_ENDPOINT |
If STORAGE_PROVIDER is set to |
No |
|
AZURE_STORAGE_ACCESS_KEY |
If STORAGE_PROVIDER is set to Also, be sure to add the line |
No |
|
AZURE_STORAGE_ACCOUNT_NAME |
If STORAGE_PROVIDER is set to |
No |
|
AZURE_CONTAINER |
If STORAGE_PROVIDER is set to |
No |
|
GCS_PROJECT |
If STORAGE_PROVIDER is set to Also, be sure to add the line GOOGLE CLOUD SERVICES require some amount of parameters. You should be able to extract them from a |
No |
|
GCS_BUCKET |
If STORAGE_PROVIDER is set to |
No |
|
GCS_TYPE |
If STORAGE_PROVIDER is set to |
service_account |
No |
GCS_PROJECT_ID |
If STORAGE_PROVIDER is set to |
No |
|
GCS_PRIVATE_KEY_ID |
If STORAGE_PROVIDER is set to |
No |
|
GCS_PRIVATE_KEY |
If STORAGE_PROVIDER is set to |
No |
|
GCS_CLIENT_EMAIL |
If STORAGE_PROVIDER is set to |
No |
|
GCS_CLIENT_ID |
If STORAGE_PROVIDER is set to |
No |
|
GCS_AUTH_URI |
If STORAGE_PROVIDER is set to |
No |
|
GCS_TOKEN_URI |
If STORAGE_PROVIDER is set to |
No |
|
GCS_AUTH_PROVIDER_X509_CERT_URL |
If STORAGE_PROVIDER is set to |
No |
|
GCS_CLIENT_X509_CERT_URL |
If STORAGE_PROVIDER is set to |
No |
Next variables are additional services such as geolocation, etherpad and other simple integrations. Also some more refined configurations:
Name | Value | Default value | Multitenant’s System configurable |
---|---|---|---|
MAPS_PROVIDER |
For a simple geolocation and tile maps service configuration define this value to one of the supported providers, currently |
No |
|
MAPS_API_KEY |
For a simple geolocation and tile maps service configuration define this value in case the provider needs it (if you are using Here Maps, you will need an API key). See Maps. Note that if you are using the |
No |
|
MAPS_DYNAMIC_URL |
If you are using a You need to define this variable if using |
No |
|
MAPS_STATIC_URL |
If you are using a You need to define this variable if using |
https://image.maps.ls.hereapi.com/mia/1.6/mapview (only if using Here Maps) |
No |
MAPS_ATTRIBUTION |
If you are using a You need to define this variable if using |
No |
|
MAPS_EXTRA_VARS |
Some providers may require you to send additional variables in the dynamic tile request (custom api keys, secrets, etc). Use this to do that, you can define as many pairs of "variable"/"value" in a URL-encoded string. See Maps. Note that to defined this variable might not be necessary in most cases, if you do it must look something like |
No |
|
MAPS_GEOCODING_HOST |
If you are using a You need to define this variable if using |
No |
|
MAPS_DYNAMIC_PROVIDER |
For advanced cases, you can define this value instead or in combination of MAPS_PROVIDER (which will be the default). This allows to set up different providers for the static tile provider than the dynamic. See Maps. Note that you do not need to define this variable for the most common, simple, one provider cases. |
No |
|
MAPS_STATIC_PROVIDER |
For advanced cases, you can define this value instead or in combination of MAPS_PROVIDER (which will be the default). This allows to set up different providers for the static tile provider than the dynamic. See Maps. Note that you do not need to define this variable for the most common, simple, one provider cases. |
No |
|
MAPS_STATIC_API_KEY |
For advanced cases, you can define this value instead or in combination of MAPS_API_KEY (which will be the default). This allows to set up different providers for the static tile provider than the dynamic requiring different API KEYS. See Maps. Note that you do not need to define this variable for the most common, simple, one provider cases. |
No |
|
MAPS_DYNAMIC_API_KEY |
For advanced cases, you can define this value instead or in combination of MAPS_API_KEY (which will be the default). This allows to set up different providers for the static tile provider than the dynamic requiring different API KEYS. See Maps. Note that you do not need to define this variable for the most common, simple, one provider cases. |
No |
|
ETHERPAD_SERVER |
URL for an Etherpad.org server to integrate in Decidim for collaborative, real time writing events. See Etherpad. |
No |
|
ETHERPAD_API_KEY |
API key for communicating with the Etherpad server. See Etherpad. |
No |
|
ETHERPAD_API_VERSION |
Etherpad API version, this is unlikely to be needed to be changed. See Etherpad. |
1.2.1 |
No |
OMNIAUTH_FACEBOOK_APP_ID |
App ID for enabling access through Facebook.com accounts. See Social Providers. Note that defining this variable automatically renders the "log in with" button. |
Yes |
|
OMNIAUTH_FACEBOOK_APP_SECRET |
App Secret for enabling access through Facebook.com accounts. See Social Providers. |
Yes |
|
OMNIAUTH_GOOGLE_CLIENT_ID |
Client ID for enabling access through Google.com accounts. See Social Providers. |
Yes |
|
OMNIAUTH_GOOGLE_CLIENT_SECRET |
Client Secret for enabling access through Google.com accounts. See Social Providers. |
Yes |
|
OMNIAUTH_TWITTER_API_KEY |
API Key for enabling access through Twitter.com accounts. See Social Providers. |
Yes |
|
OMNIAUTH_TWITTER_API_SECRET |
API Secret for enabling access through Twitter.com accounts. See Social Providers. |
Yes |
|
VAPID_PUBLIC_KEY |
VAPID public key that will be used to sign the Push API requests. It can be generated running the task: |
No |
|
VAPID_PRIVATE_KEY |
VAPID private key that will be used to sign the Push API requests. It can be generated running the task: |
No |
Name | Value | Default value | Multitenant’s System configurable |
---|---|---|---|
DECIDIM_AVAILABLE_LOCALES |
a list of, coma separated, locales that will be available for each organization configured in the System configuration. Check for the Supported values in ISO639 format. Be careful while setting up this value, you can easily shoot yourself in the food as Decidim will crash if one of the languages is not supported |
ca, cs, de, en, es, eu, fi, fr, it, ja, nl, pl, pt, ro |
Partially, Only when creating a new organization the admin needs to choose between these values |
DECIDIM_DEFAULT_LOCALE |
The default locale to be used as a fallback (note that, in practice, this value must always be defined in the System configuration for each organization anyway). Note that |
en |
Partially, Only when creating a new organization |
DECIDIM_FORCE_SSL |
By default, Decidim enforces a SSL connection (https), sometimes it is necessary to disable it in order to handle this through a proxy system (note that use Decidim without SSL at all is NOT RECOMMENDED). This value can take 3 values:
|
auto |
No |
DECIDIM_ENABLE_HTML_HEADER_SNIPPETS |
Set to The most common use is to integrate third-party services that require some extra JavaScript or CSS. Also, you can use it to add extra meta tags to the HTML. Note that this will only be rendered in public pages, not in the admin section. Before enabling this you should ensure that any tracking that might be done is in accordance with the rules and regulations that apply to your environment and usage scenarios. This component also comes with the risk that an organization’s administrator injects malicious scripts to spy on or take over user accounts. |
No |
|
DECIDIM_CURRENCY_UNIT |
Currency unit is used in view showing monetary actions, such as budgets. It does not affect any internal calculations. |
€ |
No |
DECIDIM_CORS_ENABLED |
The SVG do not support CORS. When using custom asset host different than root url, set this value to |
false |
No |
DECIDIM_IMAGE_UPLOADER_QUALITY |
Defines the quality of image uploads after processing. Image uploads are processed by Decidim, this value helps reduce the size of the files. |
80 |
No |
DECIDIM_CACHE_EXPIRATION_TIME |
The default number of minutes where a cache in Decidim will be applied (currently Decidim applies cache to some pieces of html called cells). If empty has no expiration time (but you can clear the cache anytime with the command |
1440 |
No |
DECIDIM_STATS_CACHE_EXPIRATION_TIME |
Same as before but for the default number of minutes for html that displays stats. |
10 |
No |
DECIDIM_MAXIMUM_ATTACHMENT_SIZE |
The maximum file size of an attachment (in Megabytes). Mind that this depends on your environment, for instance you could also need to change your web server configuration (nginx, apache, etc). |
10 |
Yes |
DECIDIM_MAXIMUM_AVATAR_SIZE |
The maximum file size for a user avatar (in Megabytes). Mind that this depends on your environment, for instance you could also need to change your web server configuration (nginx, apache, etc). |
5 |
Yes |
DECIDIM_MAX_REPORTS_BEFORE_HIDING |
The number of reports which a resource can receive before hiding it. This affects moderations for resources such as proposals or users (spammers). |
3 |
No |
DECIDIM_TRACK_NEWSLETTER_LINKS |
Allow organizations admins to track newsletter links, trough UTMs. See UTM parameters in Wikipedia. Set it to |
true |
No |
DECIDIM_DOWNLOAD_YOUR_DATA_EXPIRY_TIME |
Number of days that the download your data files will be available in the server. |
7 |
No |
DECIDIM_THROTTLING_MAX_REQUESTS |
Max requests in a time period to prevent DoS attacks. Only applied on production. Note that this is used by the Gem Rack::Attack and blocks are based on the detected remote IP. Different proxy configurations (such as load balancers) may affect this, we recommend to read the documentation for this gem. |
100 |
No |
DECIDIM_THROTTLING_PERIOD |
Time window (in number of minutes) in which the throttling is applied. |
1 |
No |
DECIDIM_UNCONFIRMED_ACCESS_FOR |
Time window (in number of days) were users can access the website even if their email is not confirmed. |
0 |
No |
DECIDIM_SYSTEM_ACCESSLIST_IPS |
For extra security, restrict access to the system part with an authorized ip list. You can use a single ip like |
No |
|
DECIDIM_BASE_UPLOADS_PATH |
A base path for the uploads. If set, make sure it ends in a slash.
Uploads will be set to If not set, it will be ignored. |
No |
|
DECIDIM_DEFAULT_CSV_COL_SEP |
Sets Decidim::Exporters::CSV’s default column separator. This is used in general in any activity that generates a CSV file. |
; |
No |
DECIDIM_CONSENT_COOKIE_NAME |
Defines the name of the cookie used to check if the user allows Decidim to set cookies. This is needed due the GDPR regulations. |
decidim-cc |
No |
DECIDIM_EXPIRE_SESSION_AFTER |
In minutes, How long can a user remained logged in before the session expires. Notice that this is also maximum time that user can idle before getting automatically signed out. |
30 |
No |
DECIDIM_ENABLE_REMEMBER_ME |
If set to true, users have option to "remember me". Notice that expire_session_after will not take effect when the user wants to be remembered. |
true |
No |
DECIDIM_SESSION_TIMEOUT_INTERVAL |
In seconds, defines how often |
10 |
No |
DECIDIM_FOLLOW_HTTP_X_FORWARDED_HOST |
Exposes a configuration option: If a caching system is in place, it can also allow cache and log poisoning attacks, allowing attackers to control the contents of caches and logs that could be used for other attacks. |
false |
No |
DECIDIM_MAXIMUM_CONVERSATION_MESSAGE_LENGTH |
The maximum length (number of characters) for conversation messages. Conversations are private threads between two or more users or groups. This does not affect comments as its length can be configured by administrators in the component’s settings. |
1000 |
No |
DECIDIM_DENIED_PASSWORDS |
List of Denied passwords. Array may contain strings and regex entries. Separate each item of the array with a comma AND a space, for instance:
|
No |
|
DECIDIM_PASSWORD_SIMILARITY_LENGTH |
Amount of characters required by parts of a domain (site or email / separated by a dot) for them to be taken into account during a password validation |
4 |
No |
DECIDIM_SOCIAL_SHARE_SERVICES |
The social networking services that will be available when using the "Share" feature on some resources. |
X, Facebook, WhatsApp, Telegram |
No |
DECIDIM_ALLOW_OPEN_REDIRECTS |
Disable the redirection to the external host when performing redirect back. This is not recommended to activate unless you know what you are doing More details at Rails issue #39643 Additional context: This has been revealed as an issue during a security audit on the Future of Europe installation |
false |
No |
DECIDIM_ADMIN_PASSWORD_STRONG |
Enable strong password rules for admin users. |
true |
No |
DECIDIM_ADMIN_PASSWORD_EXPIRATION_DAYS |
Defines how many days admin passwords are valid before they need to be reset. If you want to disable password expiration, you can set this value to |
90 |
No |
DECIDIM_ADMIN_PASSWORD_REPETITION_TIMES |
Defines how many previous passwords are compared against new admin user passwords. |
5 |
No |
DECIDIM_ADMIN_PASSWORD_MIN_LENGTH |
The minimum character length for admin user passwords. |
15 |
No |
DECIDIM_SERVICE_WORKER_ENABLED |
Enable/Disable the service worker. This is used to enable offline support and to deliver push notifications. In development it is recommended to be disabled because its aggressive cache configuration might cause some issues when submitting forms. |
false |
No |
DECIDIM_ENABLE_ETIQUETTE_VALIDATOR |
Enable/Disable Etiquette validator. The etiquette validator is applied to the create and edit forms of Proposals, Meetings, and Debates for both regular and admin users. |
true |
No |
DECIDIM_SPAM_DETECTION_BACKEND_USER |
The adapter type needed for user classifier. (for CI purposes, you can set "memory") |
redis |
No |
DECIDIM_SPAM_DETECTION_BACKEND_USER_REDIS_URL |
The redis connection url used by the user classifier |
redis://localhost:6379/3 |
No |
DECIDIM_SPAM_DETECTION_BACKEND_RESOURCE |
The adapter type needed for resource classifier. (for CI purposes, you can set "memory") |
redis |
No |
DECIDIM_SPAM_DETECTION_BACKEND_RESOURCE_REDIS_URL |
The redis connection url used by the resource classifier |
redis://localhost:6379/2 |
No |
Name | Value | Default value | Multitenant’s System configurable |
---|---|---|---|
API_SCHEMA_MAX_PER_PAGE |
Set this number to define the default limit for the number of items returned and queried from the database in any collection returned in the GraphQL API. |
50 |
No |
API_SCHEMA_MAX_COMPLEXITY |
Complexity is a number based on the GraphQL query sent to the API. Too complex queries may cause a degradation of performance, lower or increase this number according your needs. |
5000 |
No |
API_SCHEMA_MAX_DEPTH |
GraphQL nested queries can generated equally deeply nested queries on the database. To prevent this set this limit to prevent too unperformant queries. |
15 |
No |
PROPOSALS_PARTICIPATORY_SPACE_HIGHLIGHTED_PROPOSALS_LIMIT |
Number of proposals to be shown in blocks with highlighted content across different participatory spaces. |
4 |
No |
PROPOSALS_PROCESS_GROUP_HIGHLIGHTED_PROPOSALS_LIMIT |
Number of proposals to be shown in blocks with highlighted content in processes groups only. |
3 |
No |
MEETINGS_UPCOMING_MEETING_NOTIFICATION |
Number of days before scheduled to send a reminder notification to users registered in a meeting. |
2 |
No |
MEETINGS_ENABLE_PROPOSAL_LINKING |
If true, enables several relationships between meetings and proposals. By default is active if Proposals are active (which is true always at the moment). We recommend not to tamper with this setting unless you know what are you doing |
auto |
No |
MEETINGS_EMBEDDABLE_SERVICES |
A list (separated by spaces) of allowed services that can be embedded in a iframe when creating an online meeting. |
www.youtube.com www.twitch.tv meet.jit.si |
No |
BUDGETS_ENABLE_PROPOSAL_LINKING |
If true, enables several relationships between budgets and proposals. By default is active if Proposals are active (which is true always at the moment). We recommend not to tamper with this setting unless you know what are you doing |
auto |
No |
ACCOUNTABILITY_ENABLE_PROPOSAL_LINKING |
If true, enables several relationships between the accountability module and proposals. By default is active if Proposals are active (which is true always at the moment). We recommend not to tamper with this setting unless you know what are you doing |
auto |
No |
INITIATIVES_CREATION_ENABLED |
If false, regular users cannot create initiatives. |
true |
No |
INITIATIVES_SIMILARITY_THRESHOLD |
Acts as the proposals similarity threshold, use a number between 0 and 1 to establish how similar have to be 2 initiatives to be listed the alternate list. 0 will require no similarity at all 1 will require for two initiatives to contain exactly the same text |
0.25 |
No |
INITIATIVES_SIMILARITY_LIMIT |
Number of similar initiatives presented to the user before publishing a new one. |
5 |
No |
INITIATIVES_MINIMUM_COMMITTEE_MEMBERS |
Minimum number of committee members required to pass the initiative to technical validation phase. Only applies to initiatives created by individuals. |
2 |
No |
INITIATIVES_DEFAULT_SIGNATURE_TIME_PERIOD_LENGTH |
Number of days available to collect supports after an initiative has been published. |
120 |
No |
INITIATIVES_DEFAULT_COMPONENTS |
Components enabled by default for a new initiative (administrators can add more). |
pages, meetings |
No |
INITIATIVES_FIRST_NOTIFICATION_PERCENTAGE |
Notifies when the given percentage of supports is reached for an initiative. |
33 |
No |
INITIATIVES_SECOND_NOTIFICATION_PERCENTAGE |
Notifies when the given percentage of supports is reached for an initiative. |
66 |
No |
INITIATIVES_STATS_CACHE_EXPIRATION_TIME |
Sets the expiration time for the statistic data. |
5 |
No |
INITIATIVES_MAX_TIME_IN_VALIDATING_STATE |
Maximum amount of time in validating state. After this time the initiative will be moved to discarded state. |
60 |
No |
INITIATIVES_PRINT_ENABLED |
Print functionality enabled. Allows users to get a printed version of the initiative. |
false |
No |
INITIATIVES_DO_NOT_REQUIRE_AUTHORIZATION |
If true, This flag allows creating initiatives to unauthorized users. |
false |
No |
Name | Value | Default value | Multitenant’s System configurable |
---|---|---|---|
RAILS_LOG_TO_STDOUT |
If defined (value is indifferent) it will show the log content on the shell Standard Out. It is special relevant on certain hosting providers (for example, Heroku or Docker). It is also part of 12factor’s recommendations. |
No |
|
RAILS_SERVE_STATIC_FILES |
If defined (value is indifferent) it will serve static files present in the |
No |
|
RAILS_LOG_LEVEL |
The log level for the application. This makes more or less verbose the logger. Usually, it is a good choice to use It must be one of these: Note that this only applies to production environments. |
debug |
No |
RAILS_ASSET_HOST |
If you use a CDN or another type of assets management, you can specify the host (and path) for it so, instead of Rails serving your assets (CSS, JavaScript, Images) will use your custom system. For instance |
No |
|
PORT |
Specifies the |
3000 |
No |
RAILS_MAX_THREADS |
Specifies the maximum number of concurrent database connections and |
5 |
No |
REDIS_URL |
If using Sidekiq as a queue adapter for processing background jobs, a Redis database is needed. Sidekiq uses this env var if defined, if not defaults to |
5 |
No |
Please take care that all these configurations would be the defaults but some of these could also be changed on a Multitenant’s System configuration (for instance SMTP or OAUTH providers).