Local vs Production Environment Checklist¶
Sharp-edge reference for deploying Evospin beyond the local Docker Compose setup. Every variable listed here either has a different value in production or requires explicit attention during environment provisioning.
Must change for production¶
These variables have local-dev defaults that are insecure, non-functional, or incorrect in production. Deploying without changing them will cause outages or security vulnerabilities.
| Variable | Local default | Production requirement | Risk if unchanged |
|---|---|---|---|
DATABASE_URL |
postgresql://ebit:ebit@ebit-db:5432/ebit |
Managed Postgres with strong credentials | Open database with default password |
REDISCLOUD_URL |
redis://:cache@ebit-redis:6379/0 |
Managed Redis (ElastiCache / Upstash) | Password cache on public instance |
REDISCLOUD_BOT_URL |
redis://:bot@ebit-redis-bot:6379 |
Managed Redis (separate instance) | Password bot on public instance |
JWT_SECRET |
dev placeholder | Cryptographically random, min 256-bit | Token forgery |
SESSION_SECRET |
dev placeholder | Cryptographically random | Session hijacking |
JWT_MFA_TEMP_SECRET |
dev placeholder | Cryptographically random | MFA bypass |
JWT_VERIFICATION_TOKEN_SECRET |
dev placeholder | Cryptographically random | Email verification bypass |
JWT_USERNAME_SETUP_SECRET |
dev placeholder | Cryptographically random | Account setup bypass |
NODE_ENV |
local |
production |
Sentry disabled, email bypass active, captcha bypass active, pretty logs |
APP_FE_ORIGIN |
http://localhost:3000 |
https://dropbet.com |
CORS blocks real users |
APP_FE_ORIGIN_ADMIN |
http://localhost:3001 |
https://admin.dropbet.com |
Admin CORS broken |
APP_BE_ORIGIN |
http://localhost:4000 |
https://api.dropbet.com |
Slot game redirects wrong |
BASE_DOMAIN |
localhost |
dropbet.com |
Session cookies scoped wrong |
ADMIN_DEFAULT_PASSWORD |
admin |
Strong password or remove seed | Admin account with password admin |
Must provision for production (no local default)¶
These variables are optional or stubbed locally but required for production functionality.
| Variable | What breaks without it | Where to obtain |
|---|---|---|
SENDGRID_API_KEY |
Email verification, password reset, welcome emails | SendGrid dashboard |
SENTRY_DSN_* (5 vars) |
No error monitoring for NestJS apps | Sentry project settings |
NEXT_PUBLIC_SENTRY_DSN |
No error monitoring for frontends | Sentry project settings |
SENTRY_AUTH_TOKEN |
Source maps not uploaded (stack traces unreadable) | Sentry org auth tokens |
RECAPTCHA_SECRET |
Captcha validation fails for all users (bypass only works in local) | Google reCAPTCHA console |
GOOGLE_CLIENT_ID + GOOGLE_CLIENT_SECRET |
Google OAuth login unavailable | Google Cloud Console |
STEAM_WEB_API_KEY |
Steam login unavailable | Steam developer portal |
SKINDECK_API_KEY + SKINDECK_API_SECRET |
Skin deposits unavailable; webhook validation fails | Skindeck partner dashboard |
SUMSUB_APP_TOKEN + SUMSUB_SECRET_KEY + SUMSUB_WEBHOOK_SECRET_KEY |
KYC verification unavailable | SumSub dashboard |
PROVIDER_NOWPAYMENTS_API_KEY + PROVIDER_NOWPAYMENTS_IPN_KEY |
Crypto payments unavailable | NowPayments dashboard |
SOFTSWISS_API_SECRET |
BGaming slot games broken | Softswiss partner portal |
TELEGRAM_BOT_API_KEY |
Telegram notifications disabled | BotFather |
INTERCOM_SECRET_KEY |
Intercom webhook validation fails | Intercom developer hub |
Behaviour differences by NODE_ENV¶
| Behaviour | NODE_ENV=local |
NODE_ENV=production |
|---|---|---|
| Sentry error reporting | Disabled (regardless of DSN) | Enabled if DSN set |
| Email sending (SendGrid) | Bypassed — sendEmail() returns immediately |
Active — emails sent |
| reCAPTCHA validation | Bypass with token "pass" |
Real Google API validation |
| Prisma query logging | Enabled if DEBUG_MODE=true |
Disabled unless explicitly set |
| Socket.IO admin UI | Available if DEBUG_SOCKET_IO_ADMIN=true |
Should be disabled |
| Pretty-printed logs | Available via DEBUG_LOGS_PRETTY |
Should be disabled (JSON for log aggregation) |
| Feature flags | In-memory if FEATURE_FLAGS_USE_LOCAL=true |
GitLab Unleash API |
| Seed demo user | Created if DEBUG_SEED_LOCAL=true |
Should never be set |
URL rewiring checklist¶
When deploying to a custom domain, update every URL-shaped variable. Missing one causes subtle cross-origin or redirect bugs.
# Backend
APP_BE_ORIGIN=https://api.yourdomain.com
APP_FE_ORIGIN=https://yourdomain.com
APP_FE_ORIGIN_ADMIN=https://admin.yourdomain.com
BASE_DOMAIN=yourdomain.com
# Frontend (ebit-fe)
NEXT_PUBLIC_API_URL=https://api.yourdomain.com
SSR_API_URL=http://ebit-api:4000 # internal Docker DNS if co-located
NEXT_PUBLIC_FE_URL=https://yourdomain.com
NEXT_PUBLIC_FE_URL_ADMIN=https://admin.yourdomain.com
NEXT_PUBLIC_SOCKET_CHAT_URL=wss://rt.yourdomain.com
# Frontend (ebit-admin-fe)
NEXT_PUBLIC_API_URL=https://api.yourdomain.com
SSR_API_URL=http://ebit-api:4000
NEXT_PUBLIC_FE_URL=https://yourdomain.com
# Payment provider callbacks (must be publicly reachable)
PROVIDER_NOWPAYMENTS_CALLBACK_URL=https://api.yourdomain.com/payments/nowpayments/callback
GOOGLE_CALLBACK_URL=https://api.yourdomain.com/auth/google/callback
Fast Track CRM activation checklist¶
Fast Track is stubbed today (disabled = true in fast-track.rmq.module.ts:8). To enable:
- Set
disabled = falseinfast-track.rmq.module.ts - Provision a Fast Track RabbitMQ broker (separate from local compose)
- Set
FAST_TRACK_RABBITMQ_URLto the broker endpoint - Set
FAST_TRACK_API_KEYfrom Fast Track dashboard - Set
FAST_TRACK_REGISTER_CONSUMERS=trueto receive inbound events - Generate RSA keypair for
FASTTRACK_JWT_PRIVATE_KEY/FASTTRACK_JWT_PUBLIC_KEY - Verify 11 call sites (bet.service.ts, promo-effect.service.ts) are now emitting events
- Monitor RabbitMQ queue depth — the
rteventsqueue should show traffic
OTel / observability in production¶
| Variable | Local value | Production recommendation |
|---|---|---|
OTEL_EXPORTER_OTLP_ENDPOINT |
http://otel-collector:4318 |
Self-hosted collector or SaaS (Grafana Cloud, Datadog) |
OTEL_SERVICE_NAME |
ebit-api etc. |
Same names — keep consistent for dashboard queries |
OTEL_METRIC_EXPORT_INTERVAL |
15000 |
30000–60000 (reduce cardinality cost) |
NEXT_PUBLIC_OTEL_EXPORTER_OTLP_ENDPOINT |
http://localhost:4318 |
Public collector endpoint with auth (API key header) |
Production considerations:
- The browser sends OTLP directly to the collector — the endpoint must be publicly reachable with CORS
- Add authentication (API key in OTLP headers) to prevent abuse
- Reduce tracesSampleRate from 1.0 to 0.1–0.5 to control trace volume
- The spanmetrics connector generates high-cardinality metrics; consider adding exclude_dimensions for http.target / db.statement