Reference

Lookup tables for properties, secrets, and CLI flags used by sfp server init and related commands.

Properties

Configured via server.json (passed to --config-file).

Field

Default → possible values

How to change

domain — Hostname Caddy serves on; goes into TLS cert. Init accepts any value (or none); Caddy refuses to come up in prod without a real FQDN.

required for prod runtime → any FQDN

sfp server init --force 🔥

cicdProvider — Which CI/CD platform you trigger pipelines from. github (default) wires GitHub Actions / GitHub App webhooks; gitlab wires GitLab CI / merge-request triggers.

github → github / gitlab

sfp server init --force 🔥

supabase.mode — Where Postgres lives. self-hosted (default) runs in-stack; cloud points at Supabase Cloud. See Cloud Supabase setup.

self-hosted → self-hosted / cloud

sfp server init --force 🔥

supabase.url — Cloud Supabase URL (only when mode: cloud)

— → any HTTPS URL

sfp server init --force 🔥

tlsMode — How HTTPS is served. cloudflare — BYO cert. letsencrypt — Caddy auto-issues via ACME. custom — on-demand TLS. none — HTTP only, external proxy terminates TLS.

cloudflare → cloudflare / letsencrypt / custom / none

sfp server init --force 🔥

workers — Background Hatchet worker count

1 → 1–10

sfp server update

release_cadence — production (default) — stable. development — bleeding edge. The production channel currently requires an image_fqdn + image_tag override.

production → production / development

sfp server update --cadence <v>

image_fqdn — Override of release_cadence registry path. Use when you mirror images to a private registry.

derived from cadence → any registry path

sfp server update

image_tag — Override of release_cadence tag. Pin a specific tag when you want a specific build.

derived from cadence → any registry tag

sfp server update --docker-tag <tag>

secrets.* — Registry creds, Supabase keys (cloud), JWT secret, etc.

from server.json / env / provider → any string

sfp server update (re-collects)

🔥 = wipes tenant DB + volumes + on-disk tenant dir. Back up first. Other tenants on the same host are untouched.

Secrets

Self-hosted Supabase auto-generates every SUPABASE_* key at init. The "Cloud only" rows below apply when supabase.mode: cloud — paste them into secrets.* in your server.json.

Secret

Required?

Where to get it

DOCKER_REGISTRY

Always

source.flxbl.io

DOCKER_REGISTRY_TOKEN

Always

Log in to source.flxbl.io → User Settings → Applications → Generate New Token → All repos + Org access, package: Read scope.

ORIGIN_CERT

If --tls-mode cloudflare

Base64-encoded PEM certificate (see TLS config)

ORIGIN_KEY

If --tls-mode cloudflare

Base64-encoded PEM private key (see TLS config)

SUPABASE_URL

Cloud only

Supabase Dashboard → Project overview → Project API → Project URL

SUPABASE_ANON_KEY

Cloud only

Supabase Dashboard → Project overview → Project API → anon/public key

SUPABASE_SERVICE_KEY

Cloud only

Supabase Dashboard → Project Settings → API Keys → service_role

SUPABASE_JWT_SECRET

Cloud only

Supabase Dashboard → Project Settings → JWT Keys → JWT Secret

SUPABASE_DB_URL

Cloud only

Dashboard → Connect → Session pooler (port 6543) for IPv4-only hosts; URL-encode @ → %40

GITHUB_APP_ID

Post-init only

Wire up after init with sfp server integration create --provider github --auth-type app (or POST /sfp/api/integrations). Not in server.json.

GITHUB_APP_PRIVATE_KEY

Post-init only

Same: passed to sfp server integration create as the credentials payload.

CLI flags

Flags that control how and where init runs — SSH, secrets provider, scripted-mode toggles.

Flag

Default

When you need it

--mode <dev|prod>

prod

dev skips TLS + --domain and exposes the server at http://localhost:3029.

--config-file <path>

—

Path to your server.json.

--ssh-connection <user@host[:port]>

—

Run init remotely. Omit --ssh-connection AND --identity-file (both, together) to install on the local box.

--identity-file <path>

—

SSH private key (paired with --ssh-connection). Tilde expanded.

--passphrase <p>

—

Only if your SSH key is encrypted.

--tls-mode <cloudflare|letsencrypt|custom|none>

cloudflare

See TLS config.

--secrets-provider <custom|infisical|aws-secretsmanager>

custom

Where init reads secrets from. custom reads from env vars and server.json. infisical pulls from Infisical. aws-secretsmanager pulls from AWS Secrets Manager.

--infisical-token <t>

—

Required when --secrets-provider=infisical. Env var INFISICAL_TOKEN is recommended over the flag.

--aws-region <r>

—

Required when --secrets-provider=aws-secretsmanager. Env var AWS_REGION is recommended over the flag.

--interactive / --no-interactive

interactive

--no-interactive when scripted.

--print-credentials

off

Dump admin creds to stdout. Insecure in CI/CD — by default they go to a permissioned file on the server.

--force

off

Re-init an existing tenant. 🔥 wipes tenant DB + volumes + on-disk tenant dir.

Cloud Supabase setup

Use cloud mode when you must reuse an existing Supabase project. You provide the five SUPABASE_* secrets (where to find each value: see Secrets above). Self-hosted is recommended — auto-generates these keys at init and runs Postgres in the same Docker stack.

{
  "domain": "sfp.yourcompany.com",
  "supabase": { "mode": "cloud", "url": "https://project.supabase.co" },
  "secrets": {
    "DOCKER_REGISTRY": "source.flxbl.io",
    "DOCKER_REGISTRY_TOKEN": "your-source-flxbl-pat",
    "SUPABASE_URL": "https://project.supabase.co",
    "SUPABASE_ANON_KEY": "eyJhbGciOi...",
    "SUPABASE_SERVICE_KEY": "eyJhbGciOi...",
    "SUPABASE_JWT_SECRET": "your-jwt-secret",
    "SUPABASE_DB_URL": "postgresql://postgres:[email protected]:5432/postgres"
  }
}

Last updated 20 days ago

Was this helpful?