Bootstrap Env Reference

This page documents variables from bootstrap-artifacts/bootstrap.env.

For runtime implications and operational policy details, see:

A) Host policy and behavior toggles

DEVOPS_USER: operational admin account used for SSH and sudo-based operations.
SSH_KEY_ROTATE: key reconciliation mode for DEVOPS_USER + ADDITIONAL_SUDO_USERS.
CLOSE_COOLIFY_REALTIME_PORTS: controls host-level public exposure of 6001/6002.
DOCKER_DISABLE_IPV6_FOR_PARSEADDR_FIX: controls automatic Docker ParseAddr mitigation.

Variable	Default value	Autogenerated / source	Required
`DEVOPS_USER`	`devops`	No	NO
`SSH_KEY_ROTATE`	`0`	No	NO
`CLOSE_COOLIFY_REALTIME_PORTS`	`false`	No	NO
`DOCKER_DISABLE_IPV6_FOR_PARSEADDR_FIX`	`true`	No	NO

COOLIFY_PUBLIC_DOMAIN: final domain used after onboarding.
COOLIFY_ROOT_USERNAME: root username used during installer bootstrap.
COOLIFY_ROOT_USER_EMAIL: login identifier for Coolify UI.
COOLIFY_ROOT_USER_PASSWORD: root password (auto-generated when empty/placeholder).

Variable	Default value	Autogenerated / source	Required
`COOLIFY_PUBLIC_DOMAIN`	none (`CHANGE_ME` placeholder)	No	YES
`COOLIFY_ROOT_USERNAME`	none (`CHANGE_ME` placeholder)	No	YES
`COOLIFY_ROOT_USER_EMAIL`	none (`CHANGE_ME` placeholder)	No	YES
`COOLIFY_ROOT_USER_PASSWORD`	none (`CHANGE_ME` placeholder)	Yes: via `generate-secrets.*` when empty/placeholder	YES

SSH_PUBLIC_KEY / SSH_PUBLIC_KEY_PATH: source for operator SSH key injection/reconciliation.
COOLIFY_SUDO_NOPASSWD_USER: dedicated localhost automation user for Coolify server validation.
ADDITIONAL_SUDO_USERS: extra managed users (space/comma/semicolon separated).
COOLIFY_REALTIME_DOMAIN: optional dedicated realtime domain.
SSH_PORT: hardened SSH port.
TIMEZONE: host timezone for VPS init.

Variable	Default value	Autogenerated / source	Required
`SSH_PUBLIC_KEY` or `SSH_PUBLIC_KEY_PATH`	`CHANGE_ME_or_leave_empty` / `CHANGE_ME_ssh_public_key`	Yes: local auto-detect in `generate-secrets.*` when empty/placeholder	NO (recommended YES for direct SSH key access)
`COOLIFY_SUDO_NOPASSWD_USER`	`coolify`	No	NO
`ADDITIONAL_SUDO_USERS`	empty	No	NO
`COOLIFY_REALTIME_DOMAIN`	empty	No	NO (fallback to `COOLIFY_PUBLIC_DOMAIN` in closed mode)
`SSH_PORT`	`2222`	No	NO
`TIMEZONE`	`UTC`	No	NO

USER_PASSWORDS_ENCRYPTION_PASSWORD: key used to encrypt /etc/vps-coolify-bootstrap/user-passwords.enc.

Variable	Default value	Autogenerated / source	Required
`USER_PASSWORDS_ENCRYPTION_PASSWORD`	none (`CHANGE_ME` placeholder)	Yes: via `generate-secrets.*` when empty/placeholder	YES

Runtime note:

managed-user passwords are generated on host by ensure-user-passwords.sh only when account is locked/unset or missing from encrypted vault.

Additional source controls:

Local render override controls (optional):

Notes:

YES: bootstrap/prepare needs an effective non-empty value (manual, default, or generated)
NO: bootstrap can continue if value is empty

COOLIFY_ROOT_USERNAME must match ^[A-Za-z0-9._-]+$
COOLIFY_ROOT_USER_EMAIL must be valid email format
COOLIFY_ROOT_USER_PASSWORD min 16 chars + lowercase + uppercase + digit + symbol
USER_PASSWORDS_ENCRYPTION_PASSWORD min 16 chars
SSH_PORT must be numeric in range 1..65535
CLOSE_COOLIFY_REALTIME_PORTS must be true/false or 1/0
DOCKER_DISABLE_IPV6_FOR_PARSEADDR_FIX must be true/false or 1/0
when CLOSE_COOLIFY_REALTIME_PORTS=true, effective realtime domain is:
- COOLIFY_REALTIME_DOMAIN when set
- otherwise COOLIFY_PUBLIC_DOMAIN
usernames in user lists must match ^[a-z_][a-z0-9_-]*[$]?$
root is forbidden in DEVOPS_USER, COOLIFY_SUDO_NOPASSWD_USER, and ADDITIONAL_SUDO_USERS
DEVOPS_USER and COOLIFY_SUDO_NOPASSWD_USER must differ
ADDITIONAL_SUDO_USERS must not include COOLIFY_SUDO_NOPASSWD_USER

CLOSE_COOLIFY_REALTIME_PORTS=false: direct 6001/6002 may remain reachable
CLOSE_COOLIFY_REALTIME_PORTS=true: realtime uses domain on 443 (COOLIFY_REALTIME_DOMAIN or COOLIFY_PUBLIC_DOMAIN fallback) and DOCKER-USER guards block direct public 6001/6002

Detailed mode behavior: