Configuration

Environment variables and certificate challenge setup.

All configuration is stored in /var/lib/devpush/.env. For a starting point, use the .env.example file in the repository.

Environment variables

Required

Variable Description
APP_HOSTNAME Domain for the app (e.g., app.example.com)
DEPLOY_DOMAIN Base domain for deployments (defaults to APP_HOSTNAME)
LE_EMAIL Email for Let's Encrypt notifications
GITHUB_APP_ID GitHub App ID
GITHUB_APP_NAME GitHub App name
GITHUB_APP_PRIVATE_KEY GitHub App private key (PEM format, use \n for newlines)
GITHUB_APP_WEBHOOK_SECRET GitHub webhook secret
GITHUB_APP_CLIENT_ID GitHub OAuth client ID
GITHUB_APP_CLIENT_SECRET GitHub OAuth client secret
EMAIL_SENDER_ADDRESS Email sender for invites/login
RESEND_API_KEY API key for Resend

Auto-generated by installer

Variable Description
SECRET_KEY App secret for sessions/CSRF
ENCRYPTION_KEY Fernet key for encrypting secrets
POSTGRES_PASSWORD PostgreSQL password
SERVICE_UID Container user UID (matches host user)
SERVICE_GID Container user GID (matches host user)
SERVER_IP Public IP of the server
CERT_CHALLENGE_PROVIDER ACME challenge provider: default (HTTP-01) or cloudflare, route53, gcloud, digitalocean, azure (DNS-01)

Optional

Variable Description Default
GOOGLE_CLIENT_ID Google OAuth client ID
GOOGLE_CLIENT_SECRET Google OAuth client secret
APP_NAME Display name /dev/push
APP_DESCRIPTION App description
EMAIL_SENDER_NAME Sender display name /dev/push
POSTGRES_DB Database name devpush
POSTGRES_USER Database user devpush-app
REDIS_URL Redis URL redis://redis:6379
DEFAULT_CPUS Default CPU cores per container 0.5
DEFAULT_MEMORY_MB Default memory limit (MB) 2048
MAX_CPUS Maximum CPU cores per container 4.0
MAX_MEMORY_MB Maximum memory limit (MB) 8192
ALLOW_CUSTOM_RESOURCES Allow projects to override CPU/memory false
JOB_TIMEOUT Job timeout (seconds) 320
DEPLOYMENT_TIMEOUT Deployment timeout (seconds) 300
LOG_LEVEL Logging level WARNING

Certificate challenge providers

By default, /dev/push uses Let's Encrypt with HTTP-01 challenge. Set CERT_CHALLENGE_PROVIDER in .env to switch providers. Leave it blank or set default to keep HTTP-01, or choose a DNS provider for DNS-01/wildcard support:

Provider CERT_CHALLENGE_PROVIDER Required Variables
Default (HTTP-01) default None
Cloudflare cloudflare CF_DNS_API_TOKEN
AWS Route53 route53 AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION
Google Cloud gcloud GCE_PROJECT + gcloud-sa.json file
DigitalOcean digitalocean DO_AUTH_TOKEN
Azure azure AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUP

Default (HTTP-01)

The default provider uses Let's Encrypt with HTTP-01 challenge. No additional configuration is required beyond setting LE_EMAIL in your .env file.

Cloudflare

Use Cloudflare DNS for certificate validation. Requires a Cloudflare API token with DNS edit permissions.

Required variable:

  • CF_DNS_API_TOKEN: Cloudflare API token with "Zone:DNS:Edit" permissions for your domain

Setup:

  1. Create an API token in your Cloudflare dashboard
  2. Grant "Zone:DNS:Edit" permissions for your domain
  3. Add the token to your .env file:
    CERT_CHALLENGE_PROVIDER=cloudflare
CF_DNS_API_TOKEN=your_token_here

AWS Route53

Use AWS Route53 for DNS challenge validation.

Required variables:

  • AWS_ACCESS_KEY_ID: AWS access key ID
  • AWS_SECRET_ACCESS_KEY: AWS secret access key
  • AWS_REGION: AWS region where your Route53 hosted zone is located (e.g., us-east-1, eu-west-1)

Setup:

  1. Create an IAM access key in AWS Console
  2. Grant the IAM user "Route53:ChangeResourceRecordSets" permission
  3. Add the credentials to your .env file:
    CERT_CHALLENGE_PROVIDER=route53
AWS_ACCESS_KEY_ID=your_access_key
AWS_SECRET_ACCESS_KEY=your_secret_key
AWS_REGION=us-east-1

Google Cloud

Use Google Cloud DNS for certificate validation.

Required variables:

  • GCE_PROJECT: Google Cloud project ID
  • Service account JSON file: gcloud-sa.json in /var/lib/devpush/

Setup:

  1. Find your project ID in Google Cloud Console
  2. Create a service account with "DNS Administrator" role
  3. Download the JSON key file and save it as /var/lib/devpush/gcloud-sa.json
  4. Add the project ID to your .env file:
   CERT_CHALLENGE_PROVIDER=gcloud
   GCE_PROJECT=your-project-id

DigitalOcean

Use DigitalOcean DNS for certificate validation.

Required variable:

  • DO_AUTH_TOKEN: DigitalOcean personal access token

Setup:

  1. Generate a personal access token in DigitalOcean
  2. Grant "read" and "write" scopes
  3. Add the token to your .env file:
   CERT_CHALLENGE_PROVIDER=digitalocean
   DO_AUTH_TOKEN=your_token_here

Azure

Use Azure DNS for certificate validation.

Required variables:

  • AZURE_CLIENT_ID: Application (client) ID
  • AZURE_CLIENT_SECRET: Client secret value
  • AZURE_TENANT_ID: Directory (tenant) ID
  • AZURE_SUBSCRIPTION_ID: Subscription ID
  • AZURE_RESOURCE_GROUP: Resource group name containing your DNS zone

Setup:

  1. Register an application in Azure Portal
  2. Copy the "Application (client) ID" as AZURE_CLIENT_ID
  3. Create a client secret in "Certificates & secrets" section and copy the value as AZURE_CLIENT_SECRET
  4. Find the "Directory (tenant) ID" in "Azure Active Directory › Overview" as AZURE_TENANT_ID
  5. Find your subscription ID as AZURE_SUBSCRIPTION_ID
  6. Note the resource group name containing your DNS zone as AZURE_RESOURCE_GROUP
  7. Add all values to your .env file:
   CERT_CHALLENGE_PROVIDER=azure
   AZURE_CLIENT_ID=your_client_id
   AZURE_CLIENT_SECRET=your_client_secret
   AZURE_TENANT_ID=your_tenant_id
   AZURE_SUBSCRIPTION_ID=your_subscription_id
   AZURE_RESOURCE_GROUP=your_resource_group