# Reference Lookup tables for properties, secrets, and CLI flags used by `sfp server init` and related commands. *** ## Properties Configured via `server.json` (passed to `--config-file`). | Field | Default → possible values | How to change | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | -------------------------------------- | | **`domain`** — Hostname Caddy serves on; goes into TLS cert. Init accepts any value (or none); Caddy refuses to come up in prod without a real FQDN. | required for prod runtime → any FQDN | `sfp server init --force` 🔥 | | **`cicdProvider`** — Which CI/CD platform you trigger pipelines from. `github` (default) wires GitHub Actions / GitHub App webhooks; `gitlab` wires GitLab CI / merge-request triggers. | `github` → `github` / `gitlab` | `sfp server init --force` 🔥 | | **`supabase.mode`** — Where Postgres lives. `self-hosted` (default) runs in-stack; `cloud` points at Supabase Cloud. See [Cloud Supabase setup](#cloud-supabase-setup). | `self-hosted` → `self-hosted` / `cloud` | `sfp server init --force` 🔥 | | **`supabase.url`** — Cloud Supabase URL (only when `mode: cloud`) | — → any HTTPS URL | `sfp server init --force` 🔥 | | **`tlsMode`** — How HTTPS is served. `cloudflare` — BYO cert. `letsencrypt` — Caddy auto-issues via ACME. `custom` — on-demand TLS. `none` — HTTP only, external proxy terminates TLS. | `cloudflare` → `cloudflare` / `letsencrypt` / `custom` / `none` | `sfp server init --force` 🔥 | | **`workers`** — Background Hatchet worker count | `1` → `1`–`10` | `sfp server update` | | **`release_cadence`** — `production` (default) — stable. `development` — bleeding edge. The `production` channel currently requires an `image_fqdn` + `image_tag` override. | `production` → `production` / `development` | `sfp server update --cadence ` | | **`image_fqdn`** — Override of `release_cadence` registry path. Use when you mirror images to a private registry. | derived from cadence → any registry path | `sfp server update` | | **`image_tag`** — Override of `release_cadence` tag. Pin a specific tag when you want a specific build. | derived from cadence → any registry tag | `sfp server update --docker-tag ` | | **`secrets.*`** — Registry creds, Supabase keys (cloud), JWT secret, etc. | from `server.json` / env / provider → any string | `sfp server update` (re-collects) | 🔥 = wipes tenant DB + volumes + on-disk tenant dir. Back up first. Other tenants on the same host are untouched. *** ## Secrets Self-hosted Supabase auto-generates every `SUPABASE_*` key at init. The "Cloud only" rows below apply when `supabase.mode: cloud` — paste them into `secrets.*` in your `server.json`. | Secret | Required? | Where to get it | | ------------------------ | -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `DOCKER_REGISTRY` | Always | `source.flxbl.io` | | `DOCKER_REGISTRY_TOKEN` | Always | Log in to source.flxbl.io → [User Settings → Applications](https://source.flxbl.io/user/settings/applications) → Generate New Token → All repos + Org access, `package: Read` scope. | | `ORIGIN_CERT` | If `--tls-mode cloudflare` | Base64-encoded PEM certificate (see [TLS config](/flxbl/sfp-server/setting-up/setting-up-sfp-server.md#step-2-configure-tls)) | | `ORIGIN_KEY` | If `--tls-mode cloudflare` | Base64-encoded PEM private key (see [TLS config](/flxbl/sfp-server/setting-up/setting-up-sfp-server.md#step-2-configure-tls)) | | `SUPABASE_URL` | Cloud only | Supabase Dashboard → Project overview → Project API → Project URL | | `SUPABASE_ANON_KEY` | Cloud only | Supabase Dashboard → Project overview → Project API → anon/public key | | `SUPABASE_SERVICE_KEY` | Cloud only | Supabase Dashboard → Project Settings → API Keys → service\_role | | `SUPABASE_JWT_SECRET` | Cloud only | Supabase Dashboard → Project Settings → JWT Keys → JWT Secret | | `SUPABASE_DB_URL` | Cloud only | Dashboard → Connect → **Session pooler** (port 6543) for IPv4-only hosts; URL-encode `@` → `%40` | | `GITHUB_APP_ID` | Post-init only | Wire up after init with `sfp server integration create --provider github --auth-type app` (or `POST /sfp/api/integrations`). Not in `server.json`. | | `GITHUB_APP_PRIVATE_KEY` | Post-init only | Same: passed to `sfp server integration create` as the credentials payload. | *** ## CLI flags Flags that control how and where init runs — SSH, secrets provider, scripted-mode toggles. | Flag | Default | When you need it | | ------------------------------------------------------------ | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--mode ` | `prod` | `dev` skips TLS + `--domain` and exposes the server at `http://localhost:3029`. | | `--config-file ` | — | Path to your `server.json`. | | `--ssh-connection ` | — | Run init remotely. Omit `--ssh-connection` AND `--identity-file` (both, together) to install on the local box. | | `--identity-file ` | — | SSH private key (paired with `--ssh-connection`). Tilde expanded. | | `--passphrase

` | — | Only if your SSH key is encrypted. | | `--tls-mode ` | `cloudflare` | See [TLS config](/flxbl/sfp-server/setting-up/setting-up-sfp-server.md#step-2-configure-tls). | | `--secrets-provider ` | `custom` | Where init reads secrets from. `custom` reads from env vars and `server.json`. `infisical` pulls from Infisical. `aws-secretsmanager` pulls from AWS Secrets Manager. | | `--infisical-token ` | — | Required when `--secrets-provider=infisical`. Env var `INFISICAL_TOKEN` is recommended over the flag. | | `--aws-region ` | — | Required when `--secrets-provider=aws-secretsmanager`. Env var `AWS_REGION` is recommended over the flag. | | `--interactive` / `--no-interactive` | interactive | `--no-interactive` when scripted. | | `--print-credentials` | off | Dump admin creds to stdout. **Insecure in CI/CD** — by default they go to a permissioned file on the server. | | `--force` | off | Re-init an existing tenant. 🔥 wipes tenant DB + volumes + on-disk tenant dir. | *** ## Cloud Supabase setup Use cloud mode when you must reuse an existing Supabase project. You provide the five `SUPABASE_*` secrets (where to find each value: see [Secrets](#secrets) above). **Self-hosted is recommended** — auto-generates these keys at init and runs Postgres in the same Docker stack. ```json { "domain": "sfp.yourcompany.com", "supabase": { "mode": "cloud", "url": "https://project.supabase.co" }, "secrets": { "DOCKER_REGISTRY": "source.flxbl.io", "DOCKER_REGISTRY_TOKEN": "your-source-flxbl-pat", "SUPABASE_URL": "https://project.supabase.co", "SUPABASE_ANON_KEY": "eyJhbGciOi...", "SUPABASE_SERVICE_KEY": "eyJhbGciOi...", "SUPABASE_JWT_SECRET": "your-jwt-secret", "SUPABASE_DB_URL": "postgresql://postgres:password@db.project.supabase.co:5432/postgres" } } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flxbl.io/flxbl/sfp-server/setting-up/setting-up-sfp-server/reference.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.