Skip to main content

Environment Configuration

All sensitive values must be set before deploying. Do not commit .env files to version control.

PostgreSQL — infra/db/.env.postgres

Copy from: infra/db/.env.postgres.example

VariableExampleDescription
POSTGRES_USERmakerlabDatabase superuser name
POSTGRES_PASSWORD(strong password)Database superuser password
POSTGRES_DBmakerlabDatabase name

Snipe-IT — infra/snipeit/.env.snipeit

Copy from: infra/snipeit/.env.snipeit.example

VariableExampleDescription
APP_URLhttps://deti-makerlab.ua.pt/snipe-itSnipe-IT public URL (must match SNIPEIT_PUBLIC_URL)
DB_CONNECTIONmysqlDatabase driver (always mysql for MariaDB)
MYSQL_DATABASEsnipeitMariaDB database name
MYSQL_USERsnipeitMariaDB user
MYSQL_PASSWORD(strong password)MariaDB user password
MYSQL_ROOT_PASSWORD(strong password)MariaDB root password
APP_KEY(generated)Laravel application key (auto-generated on first start)
MAIL_ENV(optional)Mail server settings for Snipe-IT emails
tip

The APP_KEY is generated automatically by Snipe-IT on first start. Do not set it manually unless restoring from a backup.

API — apps/api/.env

Copy from: apps/api/.env.example

Database

VariableExampleDescription
DATABASE_URLpostgresql+psycopg://makerlab_app:password@postgres:5432/makerlabPostgreSQL connection URL
POSTGRES_USERmakerlabPostgreSQL user (used for Docker healthcheck)
POSTGRES_PASSWORD(strong password)PostgreSQL password
POSTGRES_SERVERpostgresPostgreSQL Docker service name
POSTGRES_PORT5432PostgreSQL port
POSTGRES_DBmakerlabDatabase name

Snipe-IT integration

VariableExampleDescription
SNIPEIT_BASE_URLhttp://snipeitInternal Docker URL for API calls
SNIPEIT_API_TOKEN(generated by bootstrap script)Snipe-IT personal access token
SNIPEIT_RESERVED_STATUS_ID4Numeric ID of the "Reserved" status label in Snipe-IT
SNIPEIT_PUBLIC_URLhttps://deti-makerlab.ua.pt/snipe-itBrowser-facing Snipe-IT URL

Public URLs

VariableExampleDescription
FRONTEND_URLhttps://deti-makerlab.ua.ptPublic MakerLab frontend URL

SSO (University of Aveiro OAuth1)

VariableDescription
SSO_CALLBACK_URLOAuth1 callback URL registered with identity.ua.pt. Must match exactly. Does not include path prefix. Example: https://deti-makerlab.ua.pt/auth/auth
DML_AUTH_KEYUniversity OAuth1 client key
DML_AUTH_SECRETUniversity OAuth1 client secret
warning

SSO_CALLBACK_URL must match exactly what is registered with the University identity provider. It is always at /auth/auth regardless of any base path prefix.

JWT

VariableExampleDescription
JWT_SECRET_KEY(strong random string)JWT signing secret. Use a cryptographically random value.
JWT_ALGORITHMHS256JWT algorithm. Do not change.
JWT_EXPIRE_MINUTES60Token expiry in minutes

Access control

VariableExampleDescription
LAB_TECHNICIANStech@ua.pt,another@ua.ptComma-separated list of technician university emails

Application mode

VariableExampleDescription
APP_ENVproductionApplication environment
APP_DEBUGfalseDebug mode. Always false in production.

Deployment URL parameters — docker-compose.yml

These are set in the x-deployment anchor block and are merged into containers at runtime (and build time for web):

VariableDescription
MAKERLAB_DOMAINPublic domain (no protocol, no trailing slash)
NEXT_PUBLIC_BASE_PATHBase path prefix (e.g., /new or "")
FRONTEND_URLFull public frontend URL
NEXT_PUBLIC_API_URLBrowser-facing API path prefix
API_PUBLIC_URLFull public API URL
SNIPEIT_PATHSnipe-IT path prefix
NEXT_PUBLIC_SNIPEIT_URLFull public Snipe-IT URL
APP_URLSnipe-IT self-URL (same as SNIPEIT_PUBLIC_URL)
SNIPEIT_PUBLIC_URLFull public Snipe-IT URL for backend

TLS certificates

Place TLS certificate and key files at:

infra/nginx/certs/selfsigned.crt
infra/nginx/certs/selfsigned.key

For production, replace these with valid certificates from a trusted Certificate Authority (e.g., Let's Encrypt).

To generate a self-signed certificate for testing:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout infra/nginx/certs/selfsigned.key \
  -out infra/nginx/certs/selfsigned.crt \
  -subj "/CN=deti-makerlab.ua.pt"
warning

Self-signed certificates will show a browser warning. Never use self-signed certificates in production.