In this deployment model, EAC loads configuration from two files only:
.env— baseline defaults (versioned, read-only from the UI)..env.local— per-server overrides (edited from the Settings page or manually on the host).
No container/OS environment variables are used by default in this setup.
Precedence (highest → lowest)
Only two levels apply:
- If a key is present in
.env.local, it overrides the value from.envon this server only. - If the key is absent in
.env.local, EAC falls back to.env.
Multi-server: each node has its own
.env.local. Editing Settings on server A does not change server B.
What the Settings page actually does
- Fields labeled “Updatable (.env.local)” are written to the node’s
.env.localwhen you Save. - Fields labeled “.env (Present value)” show the baseline from
.envand are not modified by the UI. - Composite inputs (e.g., Mail) are assembled into a single DSN such as
MAILER_DSNand written to.env.local.
To remove an override, clear the field in the UI and Save (the app will fall back to
.env).
Alternatively, edit the file and delete the line.
Applying changes
After updating .env.local, reload so PHP reads the new values:
# From the app root
php bin/console cache:clear --env=prod && php bin/console cache:warmup --env=prod
# Then reload PHP-FPM (typical Debian/Ubuntu service name)
sudo systemctl reload php8.2-fpm # adjust version if needed
If you run Symfony workers/cron wrappers under a service account, restart those units as well.
File locations & permissions (recommended)
- Location: by default EAC expects these files under the application root (e.g.,
/var/www/html/eac/.envand/var/www/html/eac/.env.local).
If your build stores overrides under./shared/.env.local, keep that convention consistent in your docs/scripts. - Ownership: make them writable by your service user/group (e.g.,
eac:www-data). - Mode:
chmod 640(or600if only the owner should read). Keep secrets out of world-readable files.
sudo chown eac:www-data /var/www/html/eac/.env.local
sudo chmod 640 /var/www/html/eac/.env.local
What belongs where
| Type | Put in | Why |
|---|---|---|
| Defaults, non-sensitive, versioned | .env | Baseline tracked in VCS |
| Secrets (passwords, tokens), per-host paths, toggles differing by node | .env.local | Not versioned; per-server override |
Common keys overridden in .env.local:
- Mail:
MAILER_DSN,APP_MAILER_SENDER,APP_MAILER_DEFAULT_RECIPIENTS,APP_ENABLE_TASK_MAILER - DB:
DATABASE_URL,DATABASE_URL_ETL_LOG - Paths:
APP_CONSOLE_CMD,APP_DEPLOY_DIR,APP_TMP_DIR,APP_UPLOAD_DIR - Feature toggles:
APP_ENABLE_SCHEDULING,APP_CHECK_STATUS_WITH_GIT,APP_ENABLE_ETL_LOGS
Examples
Baseline in .env
APP_ENV=prod
APP_DEBUG=0
APP_BASE_URI="https://eac.example.com/"
APP_ENABLE_SCHEDULING=true
DATABASE_URL="postgresql://eac_usr:pass@db-host:5432/eac_db?serverVersion=16&charset=utf8"
# Mail defaults (can be empty here)
APP_MAILER_SENDER="eac@cidwe.com"
MAILER_DSN=""
Per-server override in .env.local
# Different base URI on this host
APP_BASE_URI="https://eac-paris.example.com/"
# Mail configured on this server
APP_ENABLE_TASK_MAILER=true
APP_MAILER_SENDER="no-reply@example.com"
APP_MAILER_DEFAULT_RECIPIENTS="ops@example.com,data@example.com"
MAILER_DSN="smtp://no-reply%40example.com:My%3APass@smtp.example.com:587?encryption=tls&auth_mode=login"
# ETL logs enabled on this node
APP_ENABLE_ETL_LOGS=true
DATABASE_URL_ETL_LOG="postgresql://etl_ro:pass@etl-db:5432/etl_logs?serverVersion=16&charset=utf8"
Result: all keys present in .env.local override the baseline; others fall back to .env.
