7cb29bd874
Add comprehensive guide for migrating from .env files to Doppler: - Step-by-step instructions for account setup - List of all required secrets - CLI installation for macOS/Linux - PM2 configuration options - Troubleshooting section - Team access and CI/CD integration Note: Manual setup required, not automated. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
5.8 KiB
5.8 KiB
Doppler Setup Guide for WellNuo Backend
This guide explains how to migrate from .env files to Doppler for secrets management.
Why Doppler?
- Security: Secrets are encrypted and never stored in files
- Audit: Track who accessed what secrets and when
- Rotation: Easy secret rotation without redeployment
- Environment sync: Dev, staging, prod secrets in one place
Step 1: Create Doppler Account
- Go to doppler.com
- Sign up with your email or GitHub
- Create an organization (e.g., "WellNuo" or your company name)
Step 2: Create Project
- In Doppler dashboard, click "+ Project"
- Name it:
wellnuo-api - Doppler will create default environments:
dev,stg,prd
Step 3: Add Secrets
Navigate to your project and add the following secrets for each environment:
Required Secrets
| Secret Name | Description | Example |
|---|---|---|
DB_HOST |
PostgreSQL host | 91.98.205.156 |
DB_PORT |
PostgreSQL port | 5432 |
DB_NAME |
Database name | wellnuo |
DB_USER |
Database username | wellnuo_user |
DB_PASSWORD |
Database password | your-secure-password |
JWT_SECRET |
JWT signing key (min 32 chars) | your-random-secret-key-here |
JWT_EXPIRES_IN |
Token expiration | 7d |
BREVO_API_KEY |
Brevo (Sendinblue) API key | xkeysib-... |
STRIPE_SECRET_KEY |
Stripe secret key | sk_live_... or sk_test_... |
STRIPE_WEBHOOK_SECRET |
Stripe webhook signing secret | whsec_... |
ADMIN_API_KEY |
Admin endpoints auth key | your-admin-key |
Optional Secrets (if used)
| Secret Name | Description |
|---|---|
LEGACY_API_PASSWORD |
Legacy API auth password |
LIVEKIT_API_KEY |
LiveKit API key |
LIVEKIT_API_SECRET |
LiveKit API secret |
PORT |
Server port (default: 3000) |
How to Add Secrets
- Go to your project → select environment (e.g.,
prd) - Click "+ Add Secret"
- Enter name and value
- Click Save
Tip: Use "Import" to bulk import from existing .env file.
Step 4: Install Doppler CLI
macOS
brew install dopplerhq/cli/doppler
Linux
curl -Ls https://cli.doppler.com/install.sh | sh
Verify installation
doppler --version
Step 5: Authenticate CLI
doppler login
This will open browser for authentication.
Step 6: Configure Project on Server
SSH into your server:
ssh root@91.98.205.156
cd /var/www/wellnuo-api
Setup Doppler for the project:
# Login to Doppler
doppler login
# Link project to this directory
doppler setup
# Select project: wellnuo-api
# Select config: prd (production)
Verify secrets are accessible:
doppler secrets
Step 7: Update PM2 Configuration
Option A: Direct command
Stop the current process and start with Doppler:
pm2 stop wellnuo-api
pm2 delete wellnuo-api
# Start with Doppler
doppler run -- pm2 start index.js --name wellnuo-api
pm2 save
Option B: Using ecosystem.config.js
Create or update ecosystem.config.js:
module.exports = {
apps: [{
name: 'wellnuo-api',
script: 'index.js',
interpreter: 'doppler',
interpreter_args: 'run --',
env: {
NODE_ENV: 'production'
}
}]
};
Then:
pm2 start ecosystem.config.js
pm2 save
Option C: Shell wrapper script
Create start.sh:
#!/bin/bash
doppler run -- node index.js
Then:
chmod +x start.sh
pm2 start ./start.sh --name wellnuo-api
pm2 save
Step 8: Verify It Works
# Check PM2 status
pm2 status
# Check logs for startup errors
pm2 logs wellnuo-api --lines 50
# Test API endpoint
curl https://wellnuo.smartlaunchhub.com/api/health
Step 9: Remove .env File
IMPORTANT: Only after verifying everything works!
# Backup first (optional, store securely)
cp .env ~/.env.wellnuo-backup
# Remove from project
rm .env
# Commit the removal
git add -A
git commit -m "chore: remove .env file, migrated to Doppler"
Troubleshooting
"doppler: command not found" in PM2
PM2 might not have Doppler in PATH. Use full path:
which doppler
# e.g., /usr/local/bin/doppler
# Use in PM2
pm2 start "/usr/local/bin/doppler run -- node index.js" --name wellnuo-api
Secrets not loading
# Verify Doppler is configured
doppler configs
# Check if secrets are accessible
doppler secrets
# Run app directly to test
doppler run -- node index.js
PM2 restart on server reboot
Ensure Doppler is authenticated for the startup user:
# If running as root
doppler login
# Save PM2 config
pm2 save
pm2 startup
Team Access
To give team members access to secrets:
- Go to Doppler dashboard → Project settings
- Click "Access"
- Invite team members with appropriate roles:
- Admin: Full access
- Developer: Read/write dev & stg, read-only prd
- Viewer: Read-only
Secret Rotation
To rotate a secret (e.g., JWT_SECRET):
- Generate new secret value
- Update in Doppler dashboard
- Restart the application:
pm2 restart wellnuo-api
No code changes or redeployment needed!
CI/CD Integration
For GitHub Actions, add Doppler service token:
- name: Install Doppler CLI
uses: dopplerhq/cli-action@v3
- name: Run tests
run: doppler run -- npm test
env:
DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
Quick Reference
| Command | Description |
|---|---|
doppler login |
Authenticate CLI |
doppler setup |
Link project to directory |
doppler secrets |
List all secrets |
doppler run -- <cmd> |
Run command with secrets injected |
doppler secrets set KEY=value |
Set a secret |
doppler secrets get KEY |
Get a secret value |
Note: This is a manual setup process. Do not run these commands automatically without understanding each step.