-
-
Notifications
You must be signed in to change notification settings - Fork 2
Config System
ɳSelf uses environment variable files for all configuration. A layered cascade lets you separate team defaults from personal overrides from production secrets, keeping the right things committed to git and the right things off of it.
When ɳSelf loads configuration, it reads env files in order, with later files overriding earlier ones:
.env.dev ← Team defaults (committed to git)
↓
.env.staging ← Staging overrides (committed, only loaded if ENV=staging)
↓
.env.prod ← Production overrides (committed, only loaded if ENV=prod)
↓
.env.secrets ← Production secrets (GITIGNORED — never commit this)
↓
.env.local ← Local personal overrides (GITIGNORED)
↓
.env ← Highest priority overrides (GITIGNORED)
The cascade is additive, each layer only needs to contain the values it wants to override. A variable set in .env beats the same variable in .env.dev. Most teams only need two files in practice: .env.dev for shared team defaults and .env.secrets for passwords and API keys.
Environment-specific files (.env.staging, .env.prod) are skipped unless the ENV variable matches. Running nself start in a dev environment will never load .env.prod.
| File | Contents | Committed? |
|---|---|---|
.env.dev |
POSTGRES_VERSION, HASURA_VERSION, service toggles, non-sensitive defaults |
Yes |
.env.staging |
Staging-specific URLs, feature flags | Yes |
.env.prod |
Production URLs, CORS domains | Yes |
.env.secrets |
POSTGRES_PASSWORD, HASURA_GRAPHQL_ADMIN_SECRET, API keys, tokens |
No , gitignored |
.env.local |
Your personal port overrides, debugging flags | No , gitignored |
.env |
Emergency overrides, highest priority | No , gitignored |
This is the most important rule in the config system: never put secrets in .env.dev or .env.prod.
.env.secrets is gitignored by default and is where all sensitive values belong:
- Database passwords (
POSTGRES_PASSWORD) - Hasura admin secret (
HASURA_GRAPHQL_ADMIN_SECRET) - Third-party API keys and tokens
- Auth provider client secrets
- Any credential that must not appear in version control
If .env.secrets does not yet exist on a server or local machine, ɳSelf will tell you which required secrets are missing when you run nself doctor or nself build. Populate the file manually or with your team's secret management tool.
After nself build runs, it writes .env.computed with derived values that other services need. This file is generated automatically, do not edit it by hand.
Values written to .env.computed include:
-
DATABASE_URL, constructed from the individualPOSTGRES_*variables -
DOCKER_NETWORK, the project-scoped Docker network name -
AUTH_ALLOWED_REDIRECT_URLS, computed fromBASE_DOMAINplus the configured frontend routes
Every time you run nself build, .env.computed is regenerated from scratch. Any manual changes will be overwritten. If a derived value is not what you expect, trace it back to the source variables and fix those instead.
You do not need to set every variable. ɳSelf ships with sensible defaults so minimal projects need minimal configuration. Key defaults:
| Variable | Default |
|---|---|
ENV |
dev |
BASE_DOMAIN |
local.nself.org |
POSTGRES_VERSION |
16-alpine |
HASURA_VERSION |
v2.44.0 |
Password handling varies by environment:
- Dev, if no password is set, ɳSelf auto-generates a weak local password and logs it. This is intentional: low friction for local development.
-
Staging / Prod, strong passwords are required. ɳSelf enforces a minimum of 16 characters for
POSTGRES_PASSWORDand 32 characters forHASURA_GRAPHQL_ADMIN_SECRET. The build will refuse to proceed if these requirements are not met.
The ENV variable accepts common aliases and normalizes them automatically:
| You write | ɳSelf reads as |
|---|---|
development, develop, devel
|
dev |
production, prod
|
prod |
staging, stage
|
staging |
This means ENV=production and ENV=prod are equivalent, use whichever matches your team's convention.
Running nself doctor validates your configuration before you deploy:
- Checks that all required variables are set for the current environment
- Validates password strength (dev: warning, staging/prod: hard failure)
- Confirms no wildcard CORS domains are configured in production
- Reports misconfigured or conflicting ports
- Verifies that service toggles are internally consistent, for example, flagging if a pro plugin that requires Redis is enabled while Redis is disabled
Run nself doctor after setting up a new environment and after any significant change to your env files. It is also run automatically as part of nself build.
See also: Architecture | Service-Graph | Compose-Generation | Home
ɳSelf CLI v1.0.9. MIT licensed. Docs CC BY 4.0.
GitHub · Issues · Discussions · nself.org · docs.nself.org
Getting Started
Commands
- Commands, Overview
- Lifecycle: cmd-init · cmd-build · cmd-start · cmd-stop · cmd-restart · cmd-dev
- Monitoring: cmd-status · cmd-logs · cmd-health · cmd-urls · cmd-doctor · cmd-monitor · cmd-alerts · cmd-watchdog · cmd-dogfood
- Data: cmd-db · cmd-backup · cmd-dr · cmd-queue · cmd-webhooks
- Config: cmd-config · cmd-service · cmd-env · cmd-promote
- Networking: cmd-ssl · cmd-trust · cmd-dns-setup
- Security: cmd-security · cmd-secrets · cmd-waf
- Tenancy: cmd-tenant · cmd-billing
- Plugins: cmd-plugin · cmd-license
- AI: cmd-ai · cmd-claw · cmd-model
- Templates: cmd-template
- Utilities: cmd-exec · cmd-clean · cmd-reset · cmd-update · cmd-upgrade · cmd-version · cmd-admin · cmd-migrate · cmd-migrate-firebase · cmd-migrate-supabase · cmd-completion
Features
- Features, Overview
- Feature-Auth
- Feature-Storage
- Feature-Search
- Feature-Functions
- Feature-Email
- Feature-Monitoring
- Feature-Plugins
- Feature-ɳClaw, AI Assistant
- Feature-ɳChat, Messaging
- Feature-ɳTV, Media Player
- Feature-ɳFamily, Family Social
- Feature-ɳCloud, Managed Hosting
- Feature-Memory-Rooms, Knowledge Organization
- Feature-Agent-Dashboard, Agent Metrics
- Feature-Image-Generation, AI Image Generation
Configuration
- Configuration, Overview
- Config-Env-Vars
- Config-Postgres
- Config-Hasura
- Config-Auth
- Config-Nginx
- Config-Optional-Services
- Config-Custom-Services
- Config-System
Plugins (87 + 10 monitoring)
Free (25)
- plugin-backup
- plugin-content-acquisition
- plugin-content-progress
- plugin-cron
- plugin-donorbox
- plugin-feature-flags
- plugin-github
- plugin-github-runner
- plugin-invitations
- plugin-jobs
- plugin-link-preview
- plugin-mdns
- plugin-mlflow
- plugin-monitoring
- plugin-notifications
- plugin-notify
- plugin-paypal
- plugin-search
- plugin-shopify
- plugin-stripe
- plugin-subtitle-manager
- plugin-tokens
- plugin-torrent-manager
- plugin-vpn
- plugin-webhooks
Pro (62)
- plugin-access-controls
- plugin-activity-feed
- plugin-admin-api
- plugin-ai
- plugin-analytics
- plugin-auth
- plugin-backup-pro
- plugin-bots
- plugin-browser
- plugin-calendar
- plugin-cdn
- plugin-chat
- plugin-claw
- plugin-claw-budget
- plugin-claw-news
- plugin-claw-web
- plugin-cloudflare
- plugin-cms
- plugin-compliance
- plugin-cron-pro
- plugin-ddns
- plugin-devices
- plugin-documents
- plugin-donorbox-pro
- plugin-entitlements
- plugin-epg
- plugin-file-processing
- plugin-game-metadata
- plugin-geocoding
- plugin-geolocation
- plugin-google
- plugin-home
- plugin-idme
- plugin-knowledge-base
- plugin-linkedin
- plugin-livekit
- plugin-media-processing
- plugin-meetings
- plugin-moderation
- plugin-mux
- plugin-notify-pro
- plugin-object-storage
- plugin-observability
- plugin-paypal-pro
- plugin-photos
- plugin-podcast
- plugin-post
- plugin-realtime
- plugin-recording
- plugin-retro-gaming
- plugin-rom-discovery
- plugin-shopify-pro
- plugin-social
- plugin-sports
- plugin-stream-gateway
- plugin-streaming
- plugin-stripe-pro
- plugin-support
- plugin-tmdb
- plugin-voice
- plugin-web3
- plugin-workflows
Planned (26)
plugin-auditplugin-blogplugin-checkoutplugin-commerceplugin-drmplugin-exportplugin-flowplugin-importplugin-ldapplugin-mailgunplugin-mediaplugin-oauth-providersplugin-pagesplugin-postmarkplugin-rate-limitplugin-reportsplugin-samlplugin-schedulerplugin-sendgridplugin-ssoplugin-subscriptionplugin-thumbplugin-transcoderplugin-twilioplugin-wafplugin-watermark
Guides
- Guide-Production-Deployment
- Guide-SSL-Setup
- Guide-Multi-Tenancy
- Guide-Security-Hardening
- Guide-Monitoring-Setup
- Guide-Backup-Restore
- Guide-Custom-Services
- Guide-Migration-from-v1
Architecture
Reference
- API-Reference
- reference-error-codes, Error Codes
Licensing
Security
Brand
Operations
- operations/release-cascade, Release Cascade
- operations/self-healing, Self-Healing Schema
- operations/redis-tuning, Redis Pool Tuning
- operations/meilisearch-warmup, MeiliSearch Warm-Up
- operations/jwt-rotation, JWT Key Rotation
- operations/windows-wsl2-setup, Windows / WSL2 Setup
- operations/gemini-oauth-reauth, Gemini OAuth Reauth
Contributing
Admin
- USER-ACTION-QUEUE, Pending Admin Actions