Reference

Lookup tables for properties, secrets, and CLI flags used by sfp server init and related commands.


Properties

Configured via server.json (passed to --config-file).

Field
Default → possible values
How to change

domain — Hostname Caddy serves on; goes into TLS cert. Init accepts any value (or none); Caddy refuses to come up in prod without a real FQDN.

required for prod runtime → any FQDN

sfp server init --force 🔥

cicdProvider — Which CI/CD platform you trigger pipelines from. github (default) wires GitHub Actions / GitHub App webhooks; gitlab wires GitLab CI / merge-request triggers.

githubgithub / gitlab

sfp server init --force 🔥

supabase.mode — Where Postgres lives. self-hosted (default) runs in-stack; cloud points at Supabase Cloud. See Cloud Supabase setup.

self-hostedself-hosted / cloud

sfp server init --force 🔥

supabase.url — Cloud Supabase URL (only when mode: cloud)

— → any HTTPS URL

sfp server init --force 🔥

tlsMode — How HTTPS is served. cloudflare — BYO cert. letsencrypt — Caddy auto-issues via ACME. custom — on-demand TLS. none — HTTP only, external proxy terminates TLS.

cloudflarecloudflare / letsencrypt / custom / none

sfp server init --force 🔥

workers — Background Hatchet worker count

1110

sfp server update

release_cadenceproduction (default) — stable. development — bleeding edge. The production channel currently requires an image_fqdn + image_tag override.

productionproduction / development

sfp server update --cadence <v>

image_fqdn — Override of release_cadence registry path. Use when you mirror images to a private registry.

derived from cadence → any registry path

sfp server update

image_tag — Override of release_cadence tag. Pin a specific tag when you want a specific build.

derived from cadence → any registry tag

sfp server update --docker-tag <tag>

secrets.* — Registry creds, Supabase keys (cloud), JWT secret, etc.

from server.json / env / provider → any string

sfp server update (re-collects)

🔥 = wipes tenant DB + volumes + on-disk tenant dir. Back up first. Other tenants on the same host are untouched.


Secrets

Self-hosted Supabase auto-generates every SUPABASE_* key at init. The "Cloud only" rows below apply when supabase.mode: cloud — paste them into secrets.* in your server.json.

Secret
Required?
Where to get it

DOCKER_REGISTRY

Always

source.flxbl.io

DOCKER_REGISTRY_TOKEN

Always

Log in to source.flxbl.io → User Settings → Applications → Generate New Token → All repos + Org access, package: Read scope.

ORIGIN_CERT

If --tls-mode cloudflare

Base64-encoded PEM certificate (see TLS config)

ORIGIN_KEY

If --tls-mode cloudflare

Base64-encoded PEM private key (see TLS config)

SUPABASE_URL

Cloud only

Supabase Dashboard → Project overview → Project API → Project URL

SUPABASE_ANON_KEY

Cloud only

Supabase Dashboard → Project overview → Project API → anon/public key

SUPABASE_SERVICE_KEY

Cloud only

Supabase Dashboard → Project Settings → API Keys → service_role

SUPABASE_JWT_SECRET

Cloud only

Supabase Dashboard → Project Settings → JWT Keys → JWT Secret

SUPABASE_DB_URL

Cloud only

Dashboard → Connect → Session pooler (port 6543) for IPv4-only hosts; URL-encode @%40

GITHUB_APP_ID

Post-init only

Wire up after init with sfp server integration create --provider github --auth-type app (or POST /sfp/api/integrations). Not in server.json.

GITHUB_APP_PRIVATE_KEY

Post-init only

Same: passed to sfp server integration create as the credentials payload.


CLI flags

Flags that control how and where init runs — SSH, secrets provider, scripted-mode toggles.

Flag
Default
When you need it

--mode <dev|prod>

prod

dev skips TLS + --domain and exposes the server at http://localhost:3029.

--config-file <path>

Path to your server.json.

--ssh-connection <user@host[:port]>

Run init remotely. Omit --ssh-connection AND --identity-file (both, together) to install on the local box.

--identity-file <path>

SSH private key (paired with --ssh-connection). Tilde expanded.

--passphrase <p>

Only if your SSH key is encrypted.

--tls-mode <cloudflare|letsencrypt|custom|none>

cloudflare

--secrets-provider <custom|infisical|aws-secretsmanager>

custom

Where init reads secrets from. custom reads from env vars and server.json. infisical pulls from Infisical. aws-secretsmanager pulls from AWS Secrets Manager.

--infisical-token <t>

Required when --secrets-provider=infisical. Env var INFISICAL_TOKEN is recommended over the flag.

--aws-region <r>

Required when --secrets-provider=aws-secretsmanager. Env var AWS_REGION is recommended over the flag.

--interactive / --no-interactive

interactive

--no-interactive when scripted.

--print-credentials

off

Dump admin creds to stdout. Insecure in CI/CD — by default they go to a permissioned file on the server.

--force

off

Re-init an existing tenant. 🔥 wipes tenant DB + volumes + on-disk tenant dir.


Cloud Supabase setup

Use cloud mode when you must reuse an existing Supabase project. You provide the five SUPABASE_* secrets (where to find each value: see Secrets above). Self-hosted is recommended — auto-generates these keys at init and runs Postgres in the same Docker stack.

Last updated

Was this helpful?