# --- Database --- DATABASE_URL="file:../data/launcher.db" # --- Authentication (REQUIRED) --- # Generate a strong secret with: openssl rand -hex 32 # The server refuses to start with placeholder or short values (< 32 chars). JWT_SECRET="" JWT_EXPIRY="15m" REFRESH_TOKEN_EXPIRY="7d" # --- Integration credential encryption (REQUIRED if any integration is configured) --- # Must be DIFFERENT from JWT_SECRET so rotating one does not invalidate the other. # Generate a strong secret with: openssl rand -hex 32 INTEGRATION_ENCRYPTION_KEY="" # --- Application --- APP_PORT=3000 APP_HOST="0.0.0.0" # ORIGIN must match the public URL users visit. When it begins with https://, # session cookies are issued with the Secure flag. Set this when running behind # a reverse proxy that terminates TLS, e.g. ORIGIN="https://launcher.example.com" ORIGIN="http://localhost:3000" # Legacy alias — keep for older docs; not used internally. APP_URL="http://localhost:3000" # --- OAuth / OIDC (optional — configure here or in Admin > Settings) --- OAUTH_CLIENT_ID="" OAUTH_CLIENT_SECRET="" OAUTH_DISCOVERY_URL="" OAUTH_REDIRECT_URI="" # Guest mode (true = allow unauthenticated dashboard access to guest-accessible boards) GUEST_MODE="true" # Healthcheck cron expression — default every 5 minutes HEALTHCHECK_CRON="*/5 * * * *" HEALTHCHECK_TIMEOUT_MS="5000" # Service Discovery (optional — configure here or in Admin > Settings) DOCKER_SOCKET_PATH="/var/run/docker.sock" TRAEFIK_API_URL="" # Allow outbound fetches to private/internal hosts. Default is "false" which # blocks SSRF (loopback, RFC1918, link-local, cloud-metadata). Self-hosted # users monitoring services on a LAN typically want this set to "true". ALLOW_PRIVATE_NETWORK_FETCH="false" # Run background jobs (healthcheck, backup) in THIS process. Set to "false" when # scaling horizontally so only one node runs schedulers. RUN_SCHEDULERS="true" # Optional bearer token for /api/metrics. When set, scrapers must send # `Authorization: Bearer `. When unset, the endpoint is open (typical # when the scraper lives on the same private network). METRICS_TOKEN="" # Node environment NODE_ENV="production"