Secrets Reference
A single-page reference for every secret and credential in the Towlion platform — where it lives, what it does, and how to rotate it.
GitHub Actions Secrets (per-app repo)
These are set in your app repository under Settings > Secrets and variables > Actions.
| Secret | Required | Purpose | Example |
|---|---|---|---|
SERVER_HOST |
Yes | Server IP address | 203.0.113.10 |
SERVER_USER |
Yes | SSH user for deployment | deploy |
SERVER_SSH_KEY |
Yes | SSH private key (ed25519 or RSA) | Full PEM-encoded key |
APP_DOMAIN |
Yes | Production domain for the app | app.example.com |
PREVIEW_DOMAIN |
No | Base domain for preview environments | example.com |
Tip
To reduce the number of required secrets from 4 to 1, use a self-hosted GitHub Actions runner instead.
Platform Bootstrap Variables
Passed as environment variables when running bootstrap-server.sh. See Self-Hosting for the full bootstrap process.
User-provided:
| Variable | Required | Purpose | Default |
|---|---|---|---|
ACME_EMAIL |
Yes | Email for Let's Encrypt TLS certificates | — |
OPS_DOMAIN |
No | Domain for the Grafana dashboard | — |
ALERT_REPO |
No | GitHub owner/repo for alert issues (e.g., Trivy findings) |
— |
ENABLE_METRICS |
No | Set true to start Prometheus, cAdvisor, node-exporter |
— |
Auto-generated by bootstrap (written to /opt/platform/.env, mode 600):
| Variable | Purpose |
|---|---|
POSTGRES_PASSWORD |
PostgreSQL superuser password |
MINIO_ROOT_USER |
MinIO root username |
MINIO_ROOT_PASSWORD |
MinIO root password |
GRAFANA_ADMIN_PASSWORD |
Grafana admin password |
These are generated with openssl rand during the first bootstrap run and are never stored outside the server.
Per-App Runtime Environment
Located at /opt/apps/<name>/deploy/.env. Created manually from deploy/env.template during initial app setup.
Required:
| Variable | Purpose | Example |
|---|---|---|
APP_DOMAIN |
Application domain | app.example.com |
DATABASE_URL |
PostgreSQL connection string | postgresql://user:pass@postgres:5432/app_db |
REDIS_URL |
Redis connection string | redis://redis:6379/0 |
Optional:
| Variable | Purpose |
|---|---|
S3_ENDPOINT |
MinIO/S3 endpoint URL |
S3_BUCKET |
Storage bucket name |
S3_ACCESS_KEY |
Storage access key |
S3_SECRET_KEY |
Storage secret key |
JWT_SECRET |
Secret key for JWT token signing |
CORS_ORIGINS |
Comma-separated allowed CORS origins |
EMAIL_API_KEY |
Transactional email API key |
EMAIL_FROM |
Sender email address |
Note
The deploy workflow auto-injects S3_* and JWT_SECRET values from the per-app credentials file (if it exists), overwriting whatever is in deploy/.env. You do not need to manage these values manually after running create-app-credentials.sh.
Per-App Server Credentials
Located at /opt/platform/credentials/<app-name>.env (mode 600, owned by deploy).
Created by running:
| Variable | Purpose |
|---|---|
DB_USER |
Dedicated PostgreSQL user (<app_name>_user) |
DB_PASSWORD |
Password for the dedicated PostgreSQL user |
S3_ACCESS_KEY |
Dedicated MinIO access key (<app-name>-user) |
S3_SECRET_KEY |
MinIO secret key for the dedicated user |
JWT_SECRET |
Per-app JWT signing key |
These credentials are injected into deploy/.env by deploy-blue-green.sh on every deploy.
Backup Encryption
Optional. Configured in /opt/platform/.env.
| Variable | Purpose |
|---|---|
BACKUP_ENCRYPTION_KEY |
Path to a key file used for AES-256-CBC encryption of database backups |
When set, backup-postgres.sh produces encrypted .dump.enc files. restore-postgres.sh and verify-backup.sh auto-detect encrypted backups and decrypt them. See Server Contract — Backup Encryption for details.
Developer CLI Config
Located at ~/.towlion.conf. This is a local-only file — not a GitHub secret.
| Variable | Purpose | Example |
|---|---|---|
SERVER_HOST |
Server IP or hostname | 203.0.113.10 |
SERVER_USER |
SSH user | deploy |
SSH_KEY_PATH |
Path to SSH private key | ~/.ssh/id_ed25519 |
See CLI Reference for the full command list.
Rotation Reference
| Secret | Rotation Method | Command / Runbook |
|---|---|---|
| Per-app DB password | Script | rotate-credentials.sh <app> --type db |
| Per-app S3 credentials | Script | rotate-credentials.sh <app> --type s3 |
| Per-app JWT secret | Script | rotate-credentials.sh <app> --type jwt |
| All per-app credentials | Script | rotate-credentials.sh <app> --type all |
| Platform PostgreSQL password | Script | rotate-credentials.sh --platform --type db |
| Platform MinIO root password | Script | rotate-credentials.sh --platform --type s3 |
| All platform credentials | Script | rotate-credentials.sh --platform --type all |
| SSH keys | Manual | Rotate Credentials runbook — SSH section |
| GitHub Actions secrets | Manual | Update in repo Settings > Secrets after rotating the corresponding server-side credential |
| Backup encryption key | Manual | Generate new key file, re-encrypt existing backups, update BACKUP_ENCRYPTION_KEY path |
Tip
Add --yes to any rotate-credentials.sh command to skip the confirmation prompt. The script verifies app health after every rotation.