ENV configuration

All self-hosted installations need a minimum set of environment variables to get started, and have additional (optional) configuration for further customization.

Below is a template .env file with a list of available configuration and default values. Depending on your installation type you may need to mantain this file in different locations (locally for Docker Compose installations, S3 or Secrets Manager for AWS deployments, or other configuration/secret administration tools.

###################################
# Required: Initial Tenant Configuration #
#
# Note: the values  in this section will only be read on the first deployment of
# the Tines instance. If you need to change these values after the first run, you will
# need to update the app or database directly. All other values in this file will be
# picked up by the Tines app on every deployment or server restart.
###################################

# A human friendly identifier for this instance of Tines, e.g., "your-company-name":
TENANT_NAME=

# This is the domain where your Tines instance will be accessible:
DOMAIN=

# This will be the first user to be created and get invited to this Tines instance:
SEED_EMAIL=
SEED_FIRST_NAME=
SEED_LAST_NAME=

# If SEED_EMAIL_PASSWORD is set, this will bypass the email invite process for the first user and allow
# the SEED_EMAIL to login without SMTP configured using SEED_EMAIL:SEED_EMAIL_PASSWORD
# SEED_EMAIL_PASSWORD is *superceded* by either of the following 2 conditions:
# 1. If SMTP is configured correctly
# 2. If SSO is configured
SEED_EMAIL_PASSWORD=

# This address will be the default sender for all emails from this Tines instance:
# This can be configured on initial setup and changed subsequently at /admin/configuration
EMAIL_FROM_ADDRESS="Example Support <support@example.com>"

#############################
# Required: Server Configuration #
#############################

# Company name and stack name (eg. tines_prod). This is used to identify your tenant's telemetry data,
# if you have enabled that feature.
TELEMETRY_ID=

# This should match the port that you use to access the Tines UI.
# Unless you have chosen a custom port, you should use 443 as typical for HTTPS.
PORT=443

# This should be set to a random 128 character string to ensure security for your installation.
# Changing this value may force users to log in again.
# You can generate a value for this by running: `openssl rand -hex 64`
APP_SECRET_TOKEN=__SET_YOUR_SECRET_TOKEN__

#############################
# Required: Email Configuration #
#############################
# Outgoing email settings. This must be configured correctly in order for the invite email
# to be sent to the first user.
#
# To use Gmail or Google Apps, put your Google Apps domain or gmail.com
# as the SMTP_DOMAIN and your Gmail username and password as the SMTP_USER_NAME and SMTP_PASSWORD.
#
# If you have trouble with port 587 on Gmail, you can also try setting
# SMTP_AUTHENTICATION to login and the SMTP_PORT to 465.

SMTP_DOMAIN=
SMTP_USER_NAME=
SMTP_PASSWORD=
SMTP_SERVER=

# Optional SMTP settings
# Port. Default is 587.
SMTP_PORT=

# Athentication: `plain` (default), `login`, or `cram_md5`.
SMTP_AUTHENTICATION=login

# Detects if STARTTLS is enabled in your SMTP server and starts to use it. Defaults to false.
SMTP_ENABLE_STARTTLS_AUTO=true

# Use STARTTLS when connecting to your SMTP server and fail if unsupported. Defaults to false.
# SMTP_ENABLE_STARTTLS=

# Enables the SMTP connection to use SMTP/TLS (SMTPS: SMTP over direct TLS connection)
# SMTP_SSL=
# SMTL_TLS=

# When using TLS, you can set how OpenSSL checks the certificate.
# This is useful if you need to validate a self-signed and/or a wildcard certificate.
# Acceptable values: `none`, `peer`, `client_once`, `fail_if_no_peer_cert`
# SMTP_OPENSSL_VERIFY_MODE=

# Path to a file containing a PEM-format CA certificate that the SMTP server will use to verify your certificate.
# SMTP_OPENSSL_CA_PATH=
# Altenratively, inline contents of the certificate
# SMTP_OPENSSL_CA_FILE=

# Open timeout. Default: 30 seconds
# SMTP_OPEN_TIMEOUT=
# Read timeout. Default: 30 seconds
# SMTP_READ_TIMEOUT=

# Disable all email sending
# Uncomment this line to disable all email sending (including invite, monitoring, send email actions, etc.)
# DISABLE_EMAIL=true

############################
# Required: Database connections #
############################

# PostgreSQL database server connection configuration:
DATABASE_NAME=tines_production
DATABASE_POOL=20
DATABASE_USERNAME=tines
# This password needs to match the value in your docker-compose.yml file.
# A value that contains punctuation other than underscores and dashes may cause errors.
# You can generate a value for this by running: openssl rand -hex 32
DATABASE_PASSWORD=__SET_YOUR_DATABASE_PASSWORD__
DATABASE_HOST=db
DATABASE_PORT=5432

# Set idle timeout before the connection should be flushed. Default 300 seconds
# DATABASE_IDLE_TIMEOUT=300

# Optional PotgreSQL SSL configuration
# PGSSLMODE=verify-full
# PGSSLCERT=client.crt
# PGSSLKEY=client.key
# PGSSLROOTCERT=ca.crt

# Redis connection configuration
REDIS_URL=redis://redis:6379/1

########################
# Optional feature configuration #
########################

# Enables a periodic job to update public template date from integrations.tines.com.
# Please note that if you set this to false, you would need to perform another upgrade
# so that the templates that are part of the release are synced into the Tenant.
SYNC_TEMPLATES=true

# Specify the default User-Agent header value for HTTP requests made
# by Agents that allow overriding the User-Agent header value.
# DEFAULT_HTTP_USER_AGENT=Tines (Advanced Security Automation; tines.com)

# Configure captcha feature for prompts
# PROMPT_CAPTCHA=false
# RECAPTCHA_SITE_KEY=
# RECAPTCHA_SECRET_KEY=

# Uncomment the line below to output Audit Logs to stdout
# AUDIT_LOGS_TO_STDOUT=true

# Log level for web server:
# Acceptable values: `debug`, `info` (default), `warn`, `error`, `fatal`, `unknown`
# Uncomment the line below to change the log level to warn, which will
# make the logs less verbose and only show warnings and errors instead of all activity.
# RAILS_LOG_LEVEL=warning

# Disable ipv6 on nginx
# DISABLE_NGINX_IPV6=true

# Setup tines user on host machine
# SETUP_DEDICATED_LINUX_USER=true

# Set worker count
# SIDEKIQ_CONCURRENCY=12

# Seconds before a web request times out.
# Increase this if you experience frequent timeouts despite having appropiately scaled your infrastructure.
# RACK_SERVICE_TIMEOUT_SECONDS=35

# Size of each output payload (in bytes) generated for each event
# OUTPUT_PAYLOAD_SIZE_BYTES = 104857600 # 100MB

# Maximum fraction of sidekiq workers that can be used for slow action runs
# ACTION_RUNS_MAX_CONCURRENCY = 0.4 # 40%

# Opt in to allow Tines app to send certain database queries to a read-only endpoint to reduce main database load
# DATABASE_READONLY_ENDPOINT=""

# Use proxy for external requests
# HTTP_PROXY="http://proxy.example.com:8080"
# HTTPS_PROXY="http://proxy.example.com:8080"

# Selectively don't use proxy for certain domains
# NO_PROXY="foo.bar.com,foobar.com"

# Disable proxy redirect for nginx
# TINES_NGINX_PROXY_REDIRECT_OFF=true

# Generate HTTPS urls by default. Only applicable when `FORCE_SSL` is off.
# This can be useful if FORCE_SSL=false but you still want to generate HTTPS urls.
# USE_HTTPS=true

# Specify the port to be used in email links for the tenant's address (e.g., in invitation emails).
# TENANT_CLIENT_PORT=443

# Rack key space limit is the maximum number of bytes that can be used for form data keys.
# Default is 65536 bytes.
# RACK_KEY_SPACE_LIMIT=65536

########################
# Core configuration #
#
# These values should not be changed.
########################

# Ensure system logs are included in Docker container logs.
RAILS_LOG_TO_STDOUT=true

# Configure Rails environment. This should always be set to 'production'.
RAILS_ENV=production

# Force all requests to use SSL.
FORCE_SSL=true

# Set the installation's timezone.
TIMEZONE=UTC
Was this helpful?