Configure the server
Finances App reads configuration from environment variables and the optional Notion TOML file. Docker Compose passes the important variables from .env into the container.
Use .env for deployment settings
Start from the example:
cp .env.example .envKeep .env private. It can contain passwords, setup tokens, and Notion API keys.
First-owner bootstrap variables
Use these variables only while the database is empty:
| Variable | Purpose |
|---|---|
INVOICER_SETUP_TOKEN | Protects browser first-run setup when the app is accessed from a non-localhost host. |
INVOICER_BOOTSTRAP_WORKSPACE_NAME | Name of the first workspace created by unattended bootstrap. |
INVOICER_BOOTSTRAP_OWNER_NAME | Display name for the first owner. |
INVOICER_BOOTSTRAP_OWNER_EMAIL | Login email for the first owner. |
INVOICER_BOOTSTRAP_OWNER_PASSWORD | Login password for the first owner. |
If any INVOICER_BOOTSTRAP_* value is set, all four are required. Once at least one user exists, bootstrap variables are ignored.
Runtime storage variables
| Variable | Default in Docker | Purpose |
|---|---|---|
INVOICER_DB_PATH | /data/invoicer.sqlite3 | SQLite database path. |
INVOICER_FILE_STORAGE | /data/files | Directory for generated PDFs and uploaded/generated files. |
INVOICER_BACKUP_DIR | /data/backups | Managed backup repository. If unset, the app uses a backups folder next to the DB. |
INVOICER_WEB_DIST | /app/web-dist | Built React app served by FastAPI. |
INVOICER_COOKIE_SECURE | unset | Set to 1 when serving behind HTTPS so session cookies are marked secure. |
The default Compose file mounts the invoicer-data volume at /data. That volume contains the SQLite database, generated files, and backups.
Notion connector variables
Notion is optional. SQLite remains the source of truth.
| Variable | Purpose |
|---|---|
NOTION_TOKEN | Notion integration token. Use a test workspace first. |
INVOICER_CONFIG_HOST_PATH | Host path to the TOML config mounted into Docker. Defaults to ./invoicer.toml. |
INVOICER_CONTAINER_CONFIG_PATH | Container path for the mounted TOML config. Defaults to /root/.config/invoicer/config.toml. |
INVOICER_CONFIG_PATH | Runtime config path read by the API inside the container. Compose sets this to the container config path. |
Create a local TOML file:
cp examples/invoicer.example.toml invoicer.tomlKeep database IDs in invoicer.toml, but keep secrets in .env:
[profiles.test]
token_env = "NOTION_TOKEN"The Settings page also has a write-only Notion API key field. The API never returns the saved key.
Users, workspaces, and roles
The app separates people from finance containers:
- A user logs in with email and password.
- A workspace owns finance records and settings.
- A membership gives a user a role in one workspace.
Roles:
| Role | Access |
|---|---|
| Owner | Full workspace access, including user management and owner/admin changes. |
| Admin | Daily finance access and most workspace administration. Admins cannot manage owners. |
| Member | Daily finance access. Blocked from workspace administration, backup restore/configuration mutations, and Notion apply/configuration actions. |
After setup, create more users and workspaces from Settings → Workspaces and users.