Skip to main content

Deployments & App Management

Predefined variables

DollarDeploy automatically creates environment variables which you can use when deploying your apps.

List of the predefined app env vars

  • APP_HOSTNAME - primary associated hostname of the app
  • APP_URL - https url for primary hostname
  • APP_ALIASES - additional hostnames or blank
  • GIT_TAGS - latest git hash or tag, automatically updated when deploying
  • GIT_LAST_COMMIT - + latest commit message
  • NODE_ENV=production - automatically set for NodeJS apps
  • USER_EMAIL - email address of the user who deploy the app

Docker Compose only

This variables only available in Docker Compose when you deploy the app.

  • USER_UID - Current user ID
  • USER_GID - Current user group ID

Set during launching an app

These are set if needed during an app launch from a template.

  • GENERATED_PWD - 10-char alphanumeric you can use in passwords
  • GENERATED_HASH - 32-char alphanumeric you can use in tokens / salt / etc
  • GENERATED_SECRET - 64-char alphanumeric, compatible with openssl rand -hex 32

Customize app deployment env vars

You can define these vars to control the deployment of your application. These are defined in the app settings.

Deployment options

  • DEPLOY_HOSTNAME_MATCH=0 - Default is 1. If defined and 0, will skip checking hostname matches IP address of the host. Usefull for early IPv6 support and if you use CloudFlare in front of your server.

  • NGINX_NO_CANONICAL_REDIRECT=1 - Default is 1. If 0 will disable redirecting to the canonical hostname for the app. Useful if you have wildcard domain managed by Cloudflare in front of your server.

  • NGINX_STATIC_PATHS - Default is empty. Comma-separated paths of folders within your app, which should Nginx statically serve. All these are mapped to Nginx to directly accecs.

  • PRE_START_TIMEOUT=60 - Default is 60s. Amount in seconds to wait for a pre start command to successfully execute.

  • POST_START_TIMEOUT=60 - Default is 60s. Amount in seconds to wait for a post start command to successfully execute.

  • APP_LISTEN_HOSTNAME=127.0.0.1 - Default is 127.0.0.1. To make app listen on all interfaces and IP addresses, use 0.0.0.0. Only applicable to NodeJS / NextJS apps, or apps which listen to the HOSTNAME parameter.

  • APP_INTERNAL_HOSTNAME=127.0.0.1 - Default is 127.0.0.1. Hostname to connect to for reverse proxy and health checks. For PHP this is automatically set to external hostname, since PHP uses FastCGI protocol not HTTP and we can't use it with curl.

  • DEPLOY_FORCE_PM2=1 - Default is 0. Use pm2 for running React, NextJs and React-Static applications, instead of systemd default way.

PHP options

  • PHP_DISABLE_FUNCTIONS - Default is exec,passthru,shell_exec,system. Restricts what kind of functions PHP code can call. The default is a good security measure to protect your app from bad code.

  • PHP_MEMORY_LIMIT - Default is 128M. Amount of memory available per each PHP request.

Systemd options

These options control the systemd service settings for your application. They provide process isolation and sandboxing capabilities. All of these have secure defaults but can be customized if your application requires specific permissions.

  • SYSTEMD_PROTECT_SYSTEM - Default is strict. Controls write access to system directories. Options: true (read-only /usr, /boot, /efi), full (also /etc read-only), strict (entire file system read-only except explicitly allowed paths). Set to false to disable.
  • SYSTEMD_PROTECT_HOME - Default is read-only. Controls access to home directories. Options: true (inaccessible), read-only, tmpfs (empty tmpfs mounted). Set to false to disable.
  • SYSTEMD_EXEC_PATHS - Default is empty. Additional paths where the application is allowed to execute binaries. UV and SDKMAN paths are automatically included.
  • SYSTEMD_READ_WRITE_PATHS - Default is empty. Additional paths where the application has read-write access. App directory and log directory are automatically included.
  • SYSTEMD_RESTRICT_SUIDSGID - Default is true. Prevents the app from creating or using SUID/SGID files, removing sudo capabilities.
  • SYSTEMD_LOCK_PERSONALITY - Default is true. Locks the execution domain (personality) of the process to prevent exploitation techniques.
  • SYSTEMD_PRIVATE_DEVICES - Default is true. Creates a private /dev for the service with only pseudo-devices (null, zero, random, etc.).
  • SYSTEMD_PRIVATE_TMP - Default is true. Creates a private /tmp directory for the service, isolated from other processes.
  • SYSTEMD_TEMPORARY_FILESYSTEM - Default is /var/tmp. Mounts a temporary filesystem at the specified path. Useful for apps that need write access to /var/tmp.
  • SYSTEMD_RESTRICT_NAMESPACES - Default is yes. Restricts the process from creating new namespaces (network, user, mount, etc.), preventing container escape attempts.

Docker-specific options

  • DOCKER_REMOVE_VOLUMES=1 - Default is 0. If 1 will remove volumes when removing the app (dangerous!)

  • DOCKER_COMPOSE_BUILD=1 - Default is 0. If defined, docker image will be build everytime you deploy.

  • DOCKER_COMPOSE_WAIT_TIMEOUT=120 - Default is 120s. Amount in seconds to wait for docker compose to start the app and wait for all health checks to pass.

  • DOCKER_COMPOSE_PULL=policy - Default is as defined in docker compose, or never if local image exists. Set to DOCKER_COMPOSE_PULL=always if you use :latest tagged images to update container image on deploy.

Health check options (see https://docs.dollardeploy.com/blog/automatic-health-checks/)

  • APP_READY_TIMEOUT=300 - Default is 300. For how many seconds wait for app to pass health checks.

  • APP_HEALTHCHECK_ENABLE=1 - Default is 1. After starting the app, perform the healthchecks to ensure the app is running ok, set to 0 to disable.

  • APP_HEALTHCHECK_PATH=/ - Default is /. HTTP path to check for a health. Can be set to something like /api/health etc.

  • APP_HEALTHCHECK_SUCCESS_CODE=200 - Default is 200, 204, 301, 302. Specify additional http response status code, to qualify app as deployed successfully.

  • APP_HEALTHCHECK_EXTERNAL=0 - Default is 0. Instead of checking internal url, check external url so it returns a success status code. For PHP apps, implies 1 since internal port is a FastCGI server.

Security options (see https://docs.dollardeploy.com/blog/improved-security-headers-for-all-apps/)

  • APP_HTTP_STRICT_TRANSPORT_SECURITY=max-age=31536000; includeSubDomains; preload - Default is force HTTPS all the time. Defines HSTS (Strict-Transport-Security) header. Learn more here.

  • APP_HTTP_FRAME_OPTIONS=SAMEORIGIN. Default is to allow iframe embedding only on the same origin. Learn more here.

  • APP_HTTP_REFERRER_POLICY=origin-when-cross-origin. Default is to send hostname in Referer header to external sites, and full URL in the same origin sites. Learn more here.

  • APP_HTTP_CONTENT_TYPE_OPTIONS. There is no default. Sets the X-Content-Type-Options HTTP header. If set to nosniff it will prevent browser from autodetecting content types. Make sure to set proper Content-Type header for every resource you serve from your app. Learn more here

  • APP_HTTP_CSP_HEADER. There is no default. Sets the Content-Security-Policy header to prevent XSS attacks and control resource loading. When configured, this header tells browsers which sources are trusted for scripts, styles, images, and other resources. Learn more here

Additional, framework specific env vars

These mostly disable telemetry or verbosity of the libraries or frameworks in use.

export SEMGREP_SEND_METRICS=off
export COLLECT_LEARNINGS_OPT_OUT=true
export STORYBOOK_DISABLE_TELEMETRY=1
export NEXT_TELEMETRY_DISABLED=1
export SLS_TELEMETRY_DISABLED=1
export SLS_NOTIFICATIONS_MODE=off
export DISABLE_OPENCOLLECTIVE=true

Environment vars available when you add services to the host

  • POSTGRES_URL - if you add Postgres service to the host
  • REDIS_URL - if you add Redis service to the host
  • MONGODB_URL - If you add MongoDB service to the host
  • MARIADB_URL - If you add MariaDB (MySQL alternative) service to the host

Environment variable expansion

You can refer to only part of POSTGRES_URL, if you app requires that by using environment variable expansion. For example if you have MariaDB and Redis installed, you can have following variables properly defined:

MYSQL_PASSWORD=${MARIADB_URL:password}
MYSQL_DATABASE=${MARIADB_URL:database}
MYSQL_USER=${MARIADB_URL:username}
MYSQL_HOST=${MARIADB_DOCKER_URL:hostname}
REDIS_HOST=${REDIS_DOCKER_URL:hostname}

For example, if you have the following postgres://postgres:secret123@localhost:5432/mydb?sslmode=require#section1

Part Syntax Example Description Example Output
host ${POSTGRES_URL:host} Host including port if present localhost:5432
hostname ${POSTGRES_URL:hostname} Host without port localhost
port ${POSTGRES_URL:port} Port number (0 if not specified) 5432
path ${POSTGRES_URL:path} URL pathname /mydb
username ${POSTGRES_URL:username} Username from credentials postgres
password ${POSTGRES_URL:password} Password from credentials secret123
database ${POSTGRES_URL:database} Database name (path without leading /) mydb
query ${POSTGRES_URL:query} Query string without ? sslmode=require
fragment ${POSTGRES_URL:fragment} Fragment/hash without # section1