Skip to main content

Environment Variables

Complete reference for all environment variables used to configure FireBackup Enterprise. This guide covers required variables, optional settings, and recommendations for production deployments.

Required Variables

These variables must be set for FireBackup to function:

Core Configuration

VariableDescriptionExample
NODE_ENVEnvironment modeproduction
BASE_URLPublic URL of the APIhttps://api.firebackup.io
DATABASE_URLPostgreSQL connection stringpostgresql://user:pass@host:5432/db
REDIS_URLRedis connection stringredis://localhost:6379

Security

VariableDescriptionExample
JWT_SECRETSecret for JWT token signing (32+ bytes)openssl rand -hex 32
ENCRYPTION_KEYAES-256 encryption key (32 bytes hex)openssl rand -hex 32

Google OAuth

VariableDescriptionExample
GOOGLE_CLIENT_IDGoogle OAuth client IDxxx.apps.googleusercontent.com
GOOGLE_CLIENT_SECRETGoogle OAuth client secretGOCSPX-xxx
GOOGLE_CALLBACK_URLOAuth callback URLhttps://api.firebackup.io/api/v1/auth/google/callback

License

VariableDescriptionExample
LICENSE_KEYFireBackup Enterprise license keyfb_lic_xxx

Database Configuration

PostgreSQL

VariableDescriptionDefault
DATABASE_URLFull connection stringRequired
DATABASE_POOL_MINMinimum pool connections2
DATABASE_POOL_MAXMaximum pool connections10
DATABASE_SSLEnable SSL connectionfalse
DATABASE_SSL_REJECT_UNAUTHORIZEDReject self-signed certstrue

Connection String Format:

postgresql://USER:PASSWORD@HOST:PORT/DATABASE?schema=public&sslmode=require

Examples:

# Local development
DATABASE_URL=postgresql://postgres:password@localhost:5432/firebackup

# AWS RDS
DATABASE_URL=postgresql://admin:password@mydb.xxxxx.us-east-1.rds.amazonaws.com:5432/firebackup?sslmode=require

# Google Cloud SQL (via proxy)
DATABASE_URL=postgresql://firebackup:password@localhost:5432/firebackup

# Azure Database
DATABASE_URL=postgresql://admin@myserver:password@myserver.postgres.database.azure.com:5432/firebackup?sslmode=require

Redis

VariableDescriptionDefault
REDIS_URLFull connection stringRequired
REDIS_HOSTRedis hostname (alternative)localhost
REDIS_PORTRedis port (alternative)6379
REDIS_PASSWORDRedis passwordNone
REDIS_TLSEnable TLS connectionfalse
REDIS_DBRedis database number0

Connection String Format:

redis://[:PASSWORD@]HOST:PORT[/DATABASE]
rediss://[:PASSWORD@]HOST:PORT[/DATABASE]  # TLS

Examples:

# Local development
REDIS_URL=redis://localhost:6379

# With password
REDIS_URL=redis://:mypassword@localhost:6379

# AWS ElastiCache
REDIS_URL=redis://my-cluster.xxxxx.cache.amazonaws.com:6379

# With TLS
REDIS_URL=rediss://:password@my-cluster.xxxxx.cache.amazonaws.com:6379

Authentication

JWT Configuration

VariableDescriptionDefault
JWT_SECRETToken signing secretRequired
JWT_EXPIRES_INToken expiration7d
JWT_REFRESH_EXPIRES_INRefresh token expiration30d
JWT_ALGORITHMSigning algorithmHS256

OAuth Configuration

VariableDescriptionDefault
GOOGLE_CLIENT_IDOAuth client IDRequired
GOOGLE_CLIENT_SECRETOAuth client secretRequired
GOOGLE_CALLBACK_URLCallback URLRequired
OAUTH_STATE_TTLState parameter TTL300 (seconds)

Session Settings

VariableDescriptionDefault
SESSION_SECRETSession encryption keyUses JWT_SECRET
SESSION_MAX_AGESession cookie max age86400000 (1 day)
SESSION_SECURESecure cookie flagtrue in production

Encryption

VariableDescriptionDefault
ENCRYPTION_KEYMaster encryption key (32 bytes)Required
ENCRYPTION_ALGORITHMAlgorithm for backupsaes-256-gcm
ENCRYPTION_KEY_ROTATIONEnable key rotationfalse

Generating Keys:

# Generate 32-byte hex key
openssl rand -hex 32

# Generate base64 key
openssl rand -base64 32

Storage Configuration

General Storage

VariableDescriptionDefault
DATA_DIRLocal data directory./data
TEMP_DIRTemporary file directory/tmp/firebackup
MAX_UPLOAD_SIZEMaximum upload size500MB

AWS S3

VariableDescriptionDefault
AWS_ACCESS_KEY_IDAWS access keyNone
AWS_SECRET_ACCESS_KEYAWS secret keyNone
AWS_REGIONDefault AWS regionus-east-1
AWS_S3_ENDPOINTCustom S3 endpoint (for MinIO)None
AWS_S3_FORCE_PATH_STYLEUse path-style URLsfalse

Google Cloud Storage

VariableDescriptionDefault
GOOGLE_APPLICATION_CREDENTIALSPath to service account JSONNone
GCS_PROJECT_IDGCP project IDNone

DigitalOcean Spaces

VariableDescriptionDefault
DO_SPACES_KEYSpaces access keyNone
DO_SPACES_SECRETSpaces secret keyNone
DO_SPACES_REGIONSpaces regionnyc3
DO_SPACES_ENDPOINTSpaces endpointhttps://nyc3.digitaloceanspaces.com

Worker Configuration

Backup Worker

VariableDescriptionDefault
WORKER_CONCURRENCYConcurrent backup jobs3
WORKER_MAX_RETRIESMax job retries3
WORKER_RETRY_DELAYDelay between retries (ms)5000
WORKER_TIMEOUTJob timeout (ms)3600000 (1 hour)
WORKER_STALLED_INTERVALStalled job check interval30000

PITR Worker

VariableDescriptionDefault
PITR_ENABLEDEnable PITR functionalitytrue
PITR_POLL_INTERVALChange polling interval (ms)5000
PITR_BATCH_SIZEChanges per batch100
PITR_RETENTION_DAYSChange window retention7

Queue Settings

VariableDescriptionDefault
QUEUE_PREFIXBullMQ queue prefixfirebackup
QUEUE_LIMITER_MAXRate limit max jobs100
QUEUE_LIMITER_DURATIONRate limit window (ms)60000

Email Configuration

VariableDescriptionDefault
SMTP_HOSTSMTP server hostnameNone
SMTP_PORTSMTP server port587
SMTP_SECUREUse TLSfalse
SMTP_USERSMTP usernameNone
SMTP_PASSSMTP passwordNone
FROM_EMAILDefault sender emailNone
FROM_NAMEDefault sender nameFireBackup

Example:

SMTP_HOST=smtp.sendgrid.net
SMTP_PORT=587
SMTP_USER=apikey
SMTP_PASS=SG.xxxxx
FROM_EMAIL=noreply@firebackup.io
FROM_NAME=FireBackup

Logging

VariableDescriptionDefault
LOG_LEVELLogging levelinfo
LOG_FORMATLog formatjson
LOG_FILELog file pathNone (stdout)
LOG_MAX_SIZEMax log file size100MB
LOG_MAX_FILESMax log file count5

Log Levels:

  • error - Errors only
  • warn - Warnings and errors
  • info - General information (default)
  • debug - Debug information
  • verbose - Detailed debug

Example:

LOG_LEVEL=info
LOG_FORMAT=json
LOG_FILE=/var/log/firebackup/app.log

Monitoring

Metrics

VariableDescriptionDefault
METRICS_ENABLEDEnable Prometheus metricsfalse
METRICS_PORTMetrics endpoint port9090
METRICS_PATHMetrics endpoint path/metrics

Health Checks

VariableDescriptionDefault
HEALTH_CHECK_ENABLEDEnable health endpointstrue
HEALTH_CHECK_TIMEOUTHealth check timeout (ms)5000

Sentry

VariableDescriptionDefault
SENTRY_DSNSentry DSN for error trackingNone
SENTRY_ENVIRONMENTSentry environment nameNODE_ENV
SENTRY_TRACES_SAMPLE_RATETransaction sample rate0.1

Rate Limiting

VariableDescriptionDefault
RATE_LIMIT_ENABLEDEnable rate limitingtrue
RATE_LIMIT_WINDOWTime window (ms)60000
RATE_LIMIT_MAXMax requests per window100
RATE_LIMIT_SKIP_SUCCESSFULSkip successful requestsfalse

CORS Configuration

VariableDescriptionDefault
CORS_ORIGINAllowed origins*
CORS_METHODSAllowed HTTP methodsGET,POST,PUT,DELETE,PATCH
CORS_CREDENTIALSAllow credentialstrue
CORS_MAX_AGEPreflight cache (seconds)86400

Example:

CORS_ORIGIN=https://app.firebackup.io,https://admin.firebackup.io
CORS_CREDENTIALS=true

Web Dashboard

VariableDescriptionDefault
VITE_API_URLAPI endpoint URLRequired
VITE_SOCKET_URLWebSocket URLSame as API
VITE_SENTRY_DSNFrontend Sentry DSNNone

Feature Flags

VariableDescriptionDefault
FEATURE_PITREnable Point-in-Time Recoverytrue
FEATURE_WEBHOOKSEnable webhookstrue
FEATURE_AUDIT_LOGEnable audit loggingtrue
FEATURE_SSOEnable SSO/SAMLfalse
FEATURE_CUSTOM_ENCRYPTIONEnable custom encryption keysfalse

License Configuration

VariableDescriptionDefault
LICENSE_KEYLicense key stringRequired
LICENSE_FILEPath to license fileNone
LICENSE_SERVERLicense server URLhttps://license.firebackup.io
LICENSE_OFFLINEEnable offline modefalse

Complete Example

Production .env

# ===========================================
# FireBackup Enterprise - Production Config
# ===========================================

# Core
NODE_ENV=production
BASE_URL=https://api.firebackup.io

# Database
DATABASE_URL=postgresql://firebackup:SECURE_PASSWORD@db.internal:5432/firebackup?sslmode=require
DATABASE_POOL_MAX=20

# Redis
REDIS_URL=redis://:REDIS_PASSWORD@redis.internal:6379

# Security
JWT_SECRET=your-super-secret-jwt-key-minimum-32-bytes-long
JWT_EXPIRES_IN=24h
ENCRYPTION_KEY=your-32-byte-hex-encryption-key-here

# Google OAuth
GOOGLE_CLIENT_ID=123456789.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-your-client-secret
GOOGLE_CALLBACK_URL=https://api.firebackup.io/api/v1/auth/google/callback

# License
LICENSE_KEY=fb_lic_your-license-key-here

# Workers
WORKER_CONCURRENCY=5
WORKER_MAX_RETRIES=3

# Email
SMTP_HOST=smtp.sendgrid.net
SMTP_PORT=587
SMTP_USER=apikey
SMTP_PASS=SG.your-sendgrid-api-key
FROM_EMAIL=noreply@firebackup.io
FROM_NAME=FireBackup

# Logging
LOG_LEVEL=info
LOG_FORMAT=json

# Monitoring
METRICS_ENABLED=true
METRICS_PORT=9090
SENTRY_DSN=https://xxx@sentry.io/xxx

# CORS
CORS_ORIGIN=https://app.firebackup.io

# Rate Limiting
RATE_LIMIT_MAX=200

Development .env

# ===========================================
# FireBackup Enterprise - Development Config
# ===========================================

# Core
NODE_ENV=development
BASE_URL=http://localhost:4000

# Database
DATABASE_URL=postgresql://postgres:postgres@localhost:5432/firebackup

# Redis
REDIS_URL=redis://localhost:6379

# Security
JWT_SECRET=dev-secret-not-for-production-use
ENCRYPTION_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

# Google OAuth
GOOGLE_CLIENT_ID=xxx.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-xxx
GOOGLE_CALLBACK_URL=http://localhost:4000/api/v1/auth/google/callback

# License (development license)
LICENSE_KEY=fb_lic_dev_xxxxxxxx

# Logging
LOG_LEVEL=debug
LOG_FORMAT=pretty

# CORS
CORS_ORIGIN=http://localhost:3000

Environment Variable Validation

FireBackup validates required environment variables at startup. If validation fails, the application will not start:

Error: Missing required environment variables:
  - DATABASE_URL
  - JWT_SECRET
  - GOOGLE_CLIENT_ID

Please set these variables and restart the application.

Security Best Practices

Do's

  • Use strong, unique values for secrets
  • Store secrets in secure secret managers
  • Use environment-specific configurations
  • Rotate secrets regularly
  • Use SSL for database and Redis connections

Don'ts

  • Don't commit .env files to version control
  • Don't use default or example values in production
  • Don't log sensitive environment variables
  • Don't share secrets between environments

Secret Management

Kubernetes Secrets:

kubectl create secret generic firebackup-secrets \
  --from-literal=jwt-secret=$(openssl rand -hex 32) \
  --from-literal=encryption-key=$(openssl rand -hex 32)

AWS Secrets Manager:

aws secretsmanager create-secret \
  --name firebackup/production \
  --secret-string '{"JWT_SECRET":"xxx","ENCRYPTION_KEY":"xxx"}'

HashiCorp Vault:

vault kv put secret/firebackup/production \
  JWT_SECRET="xxx" \
  ENCRYPTION_KEY="xxx"

Next: Security Hardening - Production security best practices.