Configuration
Runtime settings live in deploy/.env (gitignored). Copy from
deploy/.env.example or run make setup. Generate secrets with
openssl rand -hex 32.
Required secrets & bootstrap
Weak or placeholder values are rejected at API startup.
| Variable | Notes |
|---|---|
POSTGRES_USER / POSTGRES_PASSWORD / POSTGRES_DB |
Bundled Postgres service; password must match DATABASE_URL |
DATABASE_URL |
Full Postgres DSN for the API (e.g. postgres://…@db:5432/frachtschiff?sslmode=disable) |
JWT_SECRET |
≥32 characters; signs JWTs and encrypts TOTP secrets |
SHARE_LINK_SIGNING_SECRET |
≥32 characters; must differ from JWT_SECRET |
ADMIN_USERNAME / ADMIN_PASSWORD |
First admin on empty DB; password ≥8 characters, not admin |
Each of DATABASE_URL, JWT_SECRET,
SHARE_LINK_SIGNING_SECRET, and ADMIN_PASSWORD may instead use a
sibling *_FILE path (Docker secrets). Do not set both to conflicting values.
Deploy / Compose
| Variable | Default | Description |
|---|---|---|
WEB_PORT |
3000 |
Host port mapped to the web container |
DRIVES |
(empty) | label:/host/path,label2:/host/path2 - generates volume overrides |
SMART_DEVICES |
(empty) | drive-a:/dev/sda,… - optional SMART; may enable privileged mode |
Compose hardcodes HTTP_ADDR=:8080 and DATA_ROOT=/data/drives for
the API.
Auth / tokens
| Variable | Default | Description |
|---|---|---|
ACCESS_TOKEN_MINUTES |
15 | Access JWT lifetime |
REFRESH_TOKEN_DAYS |
7 | Refresh token lifetime |
DEVICE_TOKEN_IDLE_DAYS |
90 | Sync device tokens expire after idle days; 0 = never |
ALLOWED_ORIGINS |
(empty) | CORS origins for split-origin SPA+API; empty = same-origin only |
Drive health & SMART
| Variable | Default | Description |
|---|---|---|
SMART_CHECK_ENABLED |
true |
Run SMART when devices are configured |
SMART_CHECK_INTERVAL_HOURS |
6 | Hours between SMART polls |
DRIVE_HEALTH_INTERVAL_MINUTES |
5 | Online / free-space health polls |
Leave SMART_DEVICES empty to avoid privileged mode. Online/space health still
works without SMART. Details:
Security.
Workers & uploads (selected)
Defaults are sensible for most homelabs. Notable knobs:
AT_RISK_SWEEP_*/COMPLIANCE_SWEEP_*- replication complianceSTAGING_SWEEP_*- orphan tus staging cleanupHTTP_READ_TIMEOUT_SECONDS=0- keep disabled so long tus PATCH streams are not cut offTUS_NETWORK_TIMEOUT_SECONDS/TUS_COMPLETE_TIMEOUT_SECONDS- Optional rate limits:
AUTH_RATE_LIMIT,SHARE_RATE_LIMIT, etc.
Full reference: upstream docs/CONFIGURATION.md.