Environment Variables

Complete reference for all Aurora environment variables. Configuration is done via the .env file in the project root.

Quick Setup

# Create .env from template
cp .env.example .env

# Or use the init script (auto-generates secrets)
make init

Core Configuration

Application Environment

Variable	Default	Description
`AURORA_ENV`	`dev`	Environment mode: `dev`, `staging`, `production`

Database

PostgreSQL connection settings.

Variable	Default	Description
`POSTGRES_USER`	`aurora`	Database username
`POSTGRES_PASSWORD`	required	Database password (auto-generated by `make init`)
`POSTGRES_DB`	`aurora_db`	Database name
`POSTGRES_HOST`	`postgres`	Database host (container name in Docker)
`POSTGRES_PORT`	`5432`	Database port

POSTGRES_USER=aurora
POSTGRES_PASSWORD=your-secure-64-char-password
POSTGRES_DB=aurora_db
POSTGRES_HOST=postgres
POSTGRES_PORT=5432

Concurrency & Connection Pool

Tuning parameters for gunicorn, Celery, and the database connection pool. Defaults work for small deployments; increase for higher concurrency.

Variable	Default	Description
`GUNICORN_WORKERS`	`2`	Number of gunicorn worker processes
`GUNICORN_THREADS`	`4`	Threads per gunicorn worker (total parallel requests = workers x threads)
`CELERY_CONCURRENCY`	`4`	Number of concurrent Celery task workers
`DB_POOL_MIN`	`2`	Minimum database connections kept open per process
`DB_POOL_MAX`	`20`	Maximum database connections per process (must be >= workers x threads)

GUNICORN_WORKERS=2
GUNICORN_THREADS=4
CELERY_CONCURRENCY=4
DB_POOL_MIN=2
DB_POOL_MAX=20

For higher concurrency, scale these together. Example for a 4-vCPU pod:

GUNICORN_WORKERS=4
GUNICORN_THREADS=8
DB_POOL_MAX=40
CELERY_CONCURRENCY=8

On Kubernetes, prefer horizontal pod autoscaling over large per-pod thread counts. See the Kubernetes deployment guide for HPA configuration.

Redis

Redis connection for Celery task queue and caching.

Variable	Default	Description
`REDIS_URL`	`redis://redis:6379/0`	Full Redis connection URL

REDIS_URL=redis://redis:6379/0

Object Storage

S3-compatible object storage configuration. SeaweedFS is included by default.

Variable	Default	Description
`STORAGE_BUCKET`	`aurora-storage`	Bucket name
`STORAGE_ENDPOINT_URL`	`http://seaweedfs-filer:8333`	S3 endpoint URL
`STORAGE_ACCESS_KEY`	`admin`	Access key
`STORAGE_SECRET_KEY`	`admin`	Secret key
`STORAGE_REGION`	`us-east-1`	AWS region (for S3 compatibility)
`STORAGE_USE_SSL`	`false`	Use HTTPS for storage
`STORAGE_VERIFY_SSL`	`false`	Verify SSL certificates
`STORAGE_CACHE_ENABLED`	`true`	Enable storage response caching
`STORAGE_CACHE_TTL`	`60`	Cache TTL in seconds

Default (SeaweedFS)

STORAGE_BUCKET=aurora-storage
STORAGE_ENDPOINT_URL=http://seaweedfs-filer:8333
STORAGE_ACCESS_KEY=admin
STORAGE_SECRET_KEY=admin
STORAGE_REGION=us-east-1
STORAGE_USE_SSL=false

AWS S3

STORAGE_BUCKET=your-bucket-name
STORAGE_ENDPOINT_URL=https://s3.amazonaws.com
STORAGE_ACCESS_KEY=AKIAXXXXXXXXXXXXXXXX
STORAGE_SECRET_KEY=your-secret-key
STORAGE_REGION=us-east-1
STORAGE_USE_SSL=true
STORAGE_VERIFY_SSL=true

Cloudflare R2

STORAGE_BUCKET=your-bucket-name
STORAGE_ENDPOINT_URL=https://accountid.r2.cloudflarestorage.com
STORAGE_ACCESS_KEY=your-access-key
STORAGE_SECRET_KEY=your-secret-key
STORAGE_REGION=auto
STORAGE_USE_SSL=true

URLs & Networking

Service URLs for internal and external communication.

Variable	Default	Description
`FRONTEND_URL`	`http://localhost:3000`	Public frontend URL
`BACKEND_URL`	`http://aurora-server:5080`	Internal backend URL (container-to-container)
`NEXT_PUBLIC_BACKEND_URL`	`http://localhost:5080`	Public backend URL (browser access)
`NEXT_PUBLIC_WEBSOCKET_URL`	`ws://localhost:5006`	Public WebSocket URL
`CHATBOT_INTERNAL_URL`	`http://chatbot:5007`	Internal chatbot URL

FRONTEND_URL=http://localhost:3000
BACKEND_URL=http://aurora-server:5080
NEXT_PUBLIC_BACKEND_URL=http://localhost:5080
NEXT_PUBLIC_WEBSOCKET_URL=ws://localhost:5006
CHATBOT_INTERNAL_URL=http://chatbot:5007

Remote / VM Deployment

When deploying on a remote server or VM, set the NEXT_PUBLIC_* and FRONTEND_URL variables to the machine's IP or hostname:

FRONTEND_URL=http://YOUR_IP:3000
NEXT_PUBLIC_BACKEND_URL=http://YOUR_IP:5080
NEXT_PUBLIC_WEBSOCKET_URL=ws://YOUR_IP:5006

These values are injected at container startup (not baked at build time), so you do not need to rebuild images after changing them. Just recreate the frontend container:

docker compose -f docker-compose.prod-local.yml up -d frontend

Authentication & Security

Variable	Default	Description
`FLASK_SECRET_KEY`	required	Flask session secret (auto-generated by `make init`)
`FLASK_PORT`	`5080`	Flask server port
`AUTH_SECRET`	required	Auth.js secret for session encryption
`INTERNAL_API_SECRET`	(empty)	Shared secret between Next.js and Flask. When set, Flask rejects requests without a valid `X-Internal-Secret` header. Auto-generated by `make init`.
`AUTH_URL`	`${FRONTEND_URL}`	Auth.js canonical URL (set automatically in docker-compose from `FRONTEND_URL`)

FLASK_SECRET_KEY=your-secure-64-char-secret
FLASK_PORT=5080
AUTH_SECRET=your-secure-64-char-secret
INTERNAL_API_SECRET=your-secure-64-char-secret
# AUTH_URL is set from FRONTEND_URL in docker-compose — no need to set manually

Vault (Secrets Management)

HashiCorp Vault configuration for storing user credentials.

Variable	Default	Description
`VAULT_ADDR`	`http://vault:8200`	Vault server address
`VAULT_TOKEN`	required	Vault authentication token
`VAULT_KV_MOUNT`	`aurora`	KV secrets engine mount path
`VAULT_KV_BASE_PATH`	`users`	Base path for user secrets

VAULT_ADDR=http://vault:8200
VAULT_TOKEN=hvs.your-vault-token
VAULT_KV_MOUNT=aurora
VAULT_KV_BASE_PATH=users

Getting Vault Token

On first startup, get the root token from:

docker logs vault-init 2>&1 | grep "Root Token:"

LLM & AI Services

At least one LLM provider API key is required. See LLM Providers for detailed setup instructions.

Variable	Default	Description
`OPENROUTER_API_KEY`	-	OpenRouter API key (recommended)
`OPENAI_API_KEY`	-	OpenAI API key
`ANTHROPIC_API_KEY`	-	Anthropic API key
`GOOGLE_AI_API_KEY`	-	Google AI API key
`LLM_PROVIDER_MODE`	`openrouter`	Provider routing mode (see below)
`AGENT_RECURSION_LIMIT`	`240`	Max agent reasoning steps

LLM_PROVIDER_MODE

Controls how Aurora routes LLM requests:

Mode	Description	Required key
`openrouter`	All requests go through OpenRouter. One key gives access to models from Anthropic, OpenAI, Google, and others.	`OPENROUTER_API_KEY`
`direct`	Requests go directly to each provider's API based on the model prefix (e.g. `anthropic/...` → Anthropic API). No OpenRouter account needed, but you need a separate API key for each provider you use.	Provider-specific key(s)
`auto`	Same behaviour as `direct`.	Provider-specific key(s)
provider name	Set to a provider such as `bedrock`, `vertex`, `anthropic`, `openai`, `google`, or `ollama` to route every model selection through that provider (clean model picks are translated to its native id). Models the provider can't serve fall back to their own native provider.	That provider's config

openrouter is recommended for most deployments — a single key, broadest model selection, and no need to manage multiple provider accounts.

# Use one of these
OPENROUTER_API_KEY=sk-or-v1-your-key
OPENAI_API_KEY=sk-your-key
ANTHROPIC_API_KEY=sk-ant-your-key
GOOGLE_AI_API_KEY=your-key

LLM_PROVIDER_MODE=openrouter   # or: direct
AGENT_RECURSION_LIMIT=240

Vertex AI (Google Cloud)

Variable	Default	Description
`VERTEX_AI_PROJECT`	-	Google Cloud project ID
`VERTEX_AI_LOCATION`	`global`	Vertex AI location
`VERTEX_AI_SERVICE_ACCOUNT_JSON`	-	Service account key JSON string

VERTEX_AI_PROJECT=my-gcp-project
VERTEX_AI_LOCATION=global
VERTEX_AI_SERVICE_ACCOUNT_JSON={"type":"service_account",...}

Ollama (Local Models)

Variable	Default	Description
`OLLAMA_BASE_URL`	`http://host.docker.internal:11434`	Ollama server URL

OLLAMA_BASE_URL=http://host.docker.internal:11434

AWS Bedrock

One bedrock provider with two modes, auto-selected: set BEDROCK_BASE_URL for gateway mode (OpenAI-compatible endpoint in front of Bedrock), or leave it unset for native mode (AWS SDK). BEDROCK_* variables take precedence over the standard AWS_* ones.

For native mode, set LLM_PROVIDER_MODE=bedrock to route clean model picks (e.g. anthropic/claude-sonnet-4.6) through Bedrock automatically — translated to the matching inference-profile id, region-aware. For gateway mode (or to pin specific ids), use LLM_PROVIDER_MODE=direct and point MAIN_MODEL (etc.) at an explicit bedrock/<id> model.

Variable	Default	Description
`BEDROCK_BASE_URL`	-	Gateway mode: OpenAI-compatible base URL (e.g. `.../v1`). When set, Aurora uses gateway mode.
`BEDROCK_API_KEY`	`not-needed`	Gateway mode only. Optional — many VPC gateways need no key.
`BEDROCK_REGION`	-	Native mode AWS region. Falls back to `AWS_REGION` / `AWS_DEFAULT_REGION`.
`BEDROCK_ACCESS_KEY_ID`	(AWS_ACCESS_KEY_ID)	Native mode access key. Omit to use an IAM role / default credential chain.
`BEDROCK_SECRET_ACCESS_KEY`	(AWS_SECRET_ACCESS_KEY)	Native mode secret key.
`BEDROCK_SESSION_TOKEN`	(AWS_SESSION_TOKEN)	Native mode session token, used alongside `BEDROCK_ACCESS_KEY_ID` / `BEDROCK_SECRET_ACCESS_KEY` for temporary / STS credentials. Omit for long-lived keys, a profile, or an IAM role.
`BEDROCK_PROFILE`	-	Native mode named AWS profile (alternative to explicit keys).

# Gateway mode (OpenAI-compatible endpoint, e.g. a Bedrock Access Gateway in your VPC)
BEDROCK_BASE_URL=https://bedrock-gateway.internal.example.com/v1
BEDROCK_API_KEY=                       # optional
LLM_PROVIDER_MODE=direct
MAIN_MODEL=bedrock/anthropic.claude-3-5-sonnet-20240620-v1:0

# Native mode (AWS SDK) — leave BEDROCK_BASE_URL unset
BEDROCK_REGION=us-east-1
BEDROCK_ACCESS_KEY_ID=AKIA...          # or use BEDROCK_PROFILE / an IAM role
BEDROCK_SECRET_ACCESS_KEY=...
BEDROCK_SESSION_TOKEN=                  # omit unless using temporary / STS credentials
LLM_PROVIDER_MODE=bedrock               # routes clean model picks through Bedrock
MAIN_MODEL=anthropic/claude-sonnet-4.6  # auto-translated to us.anthropic.claude-sonnet-4-6

Web Search

Variable	Default	Description
`SEARXNG_URL`	`http://searxng:8080`	SearXNG internal URL
`SEARXNG_SECRET`	-	SearXNG secret key

AI Features

Variable	Default	Description
`RCA_MODEL`	-	Model for background RCA (format: `provider/model`). Overrides `RCA_OPTIMIZE_COSTS` when set. Default RCA path when `ORCHESTRATOR_ENABLED=false`.
`RCA_OPTIMIZE_COSTS`	`true`	Only used when `RCA_MODEL` is not set. `true` = `anthropic/claude-haiku-4.5`, `false` = `anthropic/claude-opus-4.6`
`ORCHESTRATOR_ENABLED`	`false`	Multi-agent RCA orchestrator (opt-in). When `true`, a lead orchestrator triages each background RCA and may fan out parallel read-only sub-agents; `RCA_MODEL` is ignored. When `false` (default), RCA uses the single-agent path with `RCA_MODEL`.
`RCA_ORCHESTRATOR_MODEL`	-	Only when `ORCHESTRATOR_ENABLED=true`. Brain model for triage + synthesis. Format: `provider/model`.
`RCA_SUBAGENT_MODEL`	-	Only when `ORCHESTRATOR_ENABLED=true`. Sub-agent investigator model. Per-role overrides in `orchestrator/roles/*.md` frontmatter take precedence. Format: `provider/model`.
`GEMINI_DISABLE_THINKING`	-	Disable Gemini thinking mode

AI Safety Guardrails

Three-layer safety: input rail + signature matcher + LLM safety judge. See Command Safety for details.

Variable	Default	Description
`GUARDRAILS_ENABLED`	`true`	Master switch. When enabled (default), all three layers run and every LLM check fails closed on error. Set to `false` to disable all guardrails.
`GUARDRAILS_LLM_MODEL`	(MAIN_MODEL)	Model used by the safety judge and input rail. Same format and routing as `MAIN_MODEL`.
`GUARDRAILS_SIGMA_ENABLED`	`true`	Gates the vendored SigmaHQ rule corpus inside the signature matcher. Requires `GUARDRAILS_ENABLED=true`. Set to `false` to run only hand-written rules.

Cloud Providers

GCP (Google Cloud Platform)

Variable	Description
`CLIENT_ID`	GCP OAuth Client ID
`CLIENT_SECRET`	GCP OAuth Client Secret

CLIENT_ID=your-client-id.apps.googleusercontent.com
CLIENT_SECRET=your-client-secret

AWS (Amazon Web Services)

Variable	Default	Description
`AWS_ACCESS_KEY_ID`	-	Aurora's AWS access key
`AWS_SECRET_ACCESS_KEY`	-	Aurora's AWS secret key
`AWS_DEFAULT_REGION`	`us-east-1`	Default AWS region

AWS_ACCESS_KEY_ID=AKIAXXXXXXXXXXXXXXXX
AWS_SECRET_ACCESS_KEY=your-secret-key
AWS_DEFAULT_REGION=us-east-1

note

These are Aurora's own AWS credentials for STS AssumeRole calls, not end-user credentials.

Cloud Provider Cache

Variable	Default	Description
`AURORA_SETUP_CACHE_ENABLED`	`true`	Cache cloud provider setup data
`AURORA_SETUP_CACHE_TTL`	`3600`	Cache TTL in seconds
`AURORA_VERIFY_CLI_IDENTITY`	`false`	Verify CLI identity
`AURORA_CACHE_TOKEN_IN_REDIS`	`false`	Cache tokens in Redis

Third-Party Integrations

GitHub

GitHub App is the default auth path. OAuth is a flag-gated fallback for on-prem deployments that cannot expose a public webhook URL.

Variable	Default	Description
`GITHUB_AUTH_MODE`	`app`	One of `app` \| `oauth` \| `hybrid`. Controls which CTA the connector dialog renders and which auth paths the backend accepts.
`GITHUB_APP_ID`		Numeric App ID from the App settings page.
`GITHUB_APP_CLIENT_ID`		App's Client ID (starts with `Iv23l...`).
`NEXT_PUBLIC_GITHUB_APP_SLUG`		The App's URL slug (e.g. `aurora-acme`). Used by the frontend to build install management URLs.
`GITHUB_APP_WEBHOOK_URL`		Public URL Aurora exposes for webhooks. Must match what's configured on the App. Example: `https://aurora.example.com/github/webhook`.
`GITHUB_APP_SETUP_URL`		Post-install redirect URL. Example: `https://aurora.example.com/github/app/install/callback`.
`GITHUB_APP_WEBHOOK_SECRET`		Fallback only — the secrets backend path `aurora/system/github-app/webhook-secret` (Vault or AWS Secrets Manager) takes precedence.
`GH_OAUTH_CLIENT_ID`		OAuth App Client ID. Required only when `GITHUB_AUTH_MODE` is `oauth` or `hybrid`.
`GH_OAUTH_CLIENT_SECRET`		OAuth App Client Secret. Required only when `GITHUB_AUTH_MODE` is `oauth` or `hybrid`.

App-mode (recommended):

GITHUB_AUTH_MODE=app
GITHUB_APP_ID=12345
GITHUB_APP_CLIENT_ID=Iv23liExampleClientId
NEXT_PUBLIC_GITHUB_APP_SLUG=aurora-acme
GITHUB_APP_WEBHOOK_URL=https://aurora.example.com/github/webhook
GITHUB_APP_SETUP_URL=https://aurora.example.com/github/app/install/callback
GITHUB_APP_WEBHOOK_SECRET=
# (private key PEM lives in your secrets backend — Vault or AWS Secrets
#  Manager — at aurora/system/github-app/private-key, not in .env)

Hybrid (App + OAuth, e.g. for a migration window):

GITHUB_AUTH_MODE=hybrid
# all GITHUB_APP_* vars from the App-mode block above, plus:
GH_OAUTH_CLIENT_ID=your-oauth-client-id
GH_OAUTH_CLIENT_SECRET=your-oauth-client-secret

OAuth-only (on-prem fallback when public webhook ingress is unavailable):

GITHUB_AUTH_MODE=oauth
GH_OAUTH_CLIENT_ID=your-oauth-client-id
GH_OAUTH_CLIENT_SECRET=your-oauth-client-secret

See the GitHub connector setup walkthroughs for the full operator click-through.

Slack

Variable	Description
`SLACK_CLIENT_ID`	Slack App Client ID
`SLACK_CLIENT_SECRET`	Slack App Client Secret
`SLACK_SIGNING_SECRET`	Slack App Signing Secret

SLACK_CLIENT_ID=your-client-id
SLACK_CLIENT_SECRET=your-client-secret
SLACK_SIGNING_SECRET=your-signing-secret

Google Chat

Variable	Description
`GOOGLE_CHAT_CLIENT_ID`	OAuth client ID (used during setup to create the incidents space in the customer's workspace)
`GOOGLE_CHAT_CLIENT_SECRET`	OAuth client secret
`GOOGLE_CHAT_SERVICE_ACCOUNT_KEY`	JSON key for the Chat app service account (messages appear as "Aurora")

GOOGLE_CHAT_CLIENT_ID=your-client-id
GOOGLE_CHAT_CLIENT_SECRET=your-client-secret
GOOGLE_CHAT_SERVICE_ACCOUNT_KEY='{"type":"service_account",...}'

PagerDuty

Variable	Default	Description
`NEXT_PUBLIC_ENABLE_PAGERDUTY_OAUTH`	`false`	Enable PagerDuty OAuth in UI
`PAGERDUTY_CLIENT_ID`	-	PagerDuty OAuth Client ID
`PAGERDUTY_CLIENT_SECRET`	-	PagerDuty OAuth Client Secret

NEXT_PUBLIC_ENABLE_PAGERDUTY_OAUTH=true
PAGERDUTY_CLIENT_ID=your-client-id
PAGERDUTY_CLIENT_SECRET=your-client-secret

OVH

Variable	Default	Description
`NEXT_PUBLIC_ENABLE_OVH`	`false`	Enable OVH connector in UI
`OVH_EU_CLIENT_ID`	-	OVH EU region Client ID
`OVH_EU_CLIENT_SECRET`	-	OVH EU region Client Secret
`OVH_CA_CLIENT_ID`	-	OVH CA region Client ID
`OVH_CA_CLIENT_SECRET`	-	OVH CA region Client Secret
`OVH_US_CLIENT_ID`	-	OVH US region Client ID
`OVH_US_CLIENT_SECRET`	-	OVH US region Client Secret

NEXT_PUBLIC_ENABLE_OVH=true
OVH_EU_CLIENT_ID=your-eu-client-id
OVH_EU_CLIENT_SECRET=your-eu-client-secret

Scaleway

Variable	Default	Description
`NEXT_PUBLIC_ENABLE_SCALEWAY`	`false`	Enable Scaleway connector in UI

NEXT_PUBLIC_ENABLE_SCALEWAY=true

No additional server-side credentials required. Users connect via API key through the UI.

Confluence

Variable	Description
`CONFLUENCE_CLIENT_ID`	Confluence OAuth Client ID
`CONFLUENCE_CLIENT_SECRET`	Confluence OAuth Client Secret

CONFLUENCE_CLIENT_ID=your-client-id
CONFLUENCE_CLIENT_SECRET=your-client-secret

SharePoint

Variable	Default	Description
`NEXT_PUBLIC_ENABLE_SHAREPOINT`	`false`	Enable SharePoint connector in UI
`SHAREPOINT_CLIENT_ID`	-	Azure App Client ID
`SHAREPOINT_CLIENT_SECRET`	-	Azure App Client Secret
`SHAREPOINT_TENANT_ID`	`common`	Azure Tenant ID

NEXT_PUBLIC_ENABLE_SHAREPOINT=true
SHAREPOINT_CLIENT_ID=your-client-id
SHAREPOINT_CLIENT_SECRET=your-client-secret
SHAREPOINT_TENANT_ID=your-tenant-id

Email (SMTP)

Variable	Default	Description
`SMTP_HOST`	-	SMTP server hostname
`SMTP_PORT`	`587`	SMTP server port
`SMTP_USER`	-	SMTP username
`SMTP_PASSWORD`	-	SMTP password
`SMTP_FROM_EMAIL`	-	From email address
`SMTP_FROM_NAME`	`Aurora`	From display name

SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USER=your-username
SMTP_PASSWORD=your-password
SMTP_FROM_EMAIL=aurora@example.com
SMTP_FROM_NAME=Aurora

Kubernetes & Pod Isolation

Variable	Default	Description
`ENABLE_POD_ISOLATION`	`false`	Enable Kubernetes pod isolation
`TERMINAL_NAMESPACE`	-	Namespace for terminal pods
`TERMINAL_IMAGE`	-	Container image for terminals
`TERMINAL_POD_TTL`	-	Pod time-to-live
`TERMINAL_RUNTIME_CLASS`	-	RuntimeClass for pods
`CHATBOT_POD_TTL`	-	Chatbot pod TTL
`USE_UNTRUSTED_NODES`	-	Allow untrusted nodes
`NEXT_PUBLIC_KUBECTL_AGENT_CHART_URL`	-	Helm chart URL for kubectl agent

Weaviate (Vector Database)

Variable	Default	Description
`WEAVIATE_HOST`	`weaviate`	Weaviate server host
`WEAVIATE_PORT`	`8080`	Weaviate HTTP port
`WEAVIATE_GRPC_PORT`	`50051`	Weaviate gRPC port

WEAVIATE_HOST=weaviate
WEAVIATE_PORT=8080
WEAVIATE_GRPC_PORT=50051

MCP Server

Variable	Default	Description
`MCP_PORT`	`8811`	Port the MCP server listens on
`BACKEND_URL`	`http://aurora-server:5080`	Internal Aurora API URL (shared with other services)

The MCP server authenticates clients via Bearer tokens stored in the mcp_tokens database table. No additional environment variable is needed for token configuration -- see the MCP integration guide for details.

Rate Limiting

Variable	Default	Description
`RATE_LIMITING_ENABLED`	`false`	Enable rate limiting
`RATE_LIMIT_BYPASS_TOKEN`	-	Token to bypass rate limits
`RATE_LIMIT_HEADERS_ENABLED`	`true`	Include rate limit headers in responses

RATE_LIMITING_ENABLED=true
RATE_LIMIT_BYPASS_TOKEN=your-bypass-token
RATE_LIMIT_HEADERS_ENABLED=true

Development

Variable	Default	Description
`NGROK_URL`	-	ngrok tunnel URL for local development

Environment File Locations

File	Purpose
`.env`	Your local configuration (gitignored)
`.env.example`	Template with all variables and documentation

Docker Compose Files

File	Purpose	Gunicorn mode
`docker-compose.yaml`	Development stack	`--reload` (auto-restart on code changes)
`docker-compose.prod-local.yml`	Production-like local deployment	`--preload` (load app before forking workers)
`docker-compose.airtight.yml`	Air-gapped deployment from pre-built images	`--preload`

All three files read GUNICORN_WORKERS, GUNICORN_THREADS, CELERY_CONCURRENCY, DB_POOL_MIN, and DB_POOL_MAX from the .env file. Set them there to tune concurrency across all environments.

Keep Docker Compose Files in Sync

When adding new environment variables, update all three Docker Compose files to ensure consistency.

Quick Setup​

Core Configuration​

Application Environment​

Database​

Concurrency & Connection Pool​

Redis​

Object Storage​

Default (SeaweedFS)​

AWS S3​

Cloudflare R2​

URLs & Networking​

Authentication & Security​

Vault (Secrets Management)​

LLM & AI Services​

LLM_PROVIDER_MODE​

Vertex AI (Google Cloud)​

Ollama (Local Models)​

AWS Bedrock​

Web Search​

AI Features​

AI Safety Guardrails​

Cloud Providers​

GCP (Google Cloud Platform)​

AWS (Amazon Web Services)​

Cloud Provider Cache​

Third-Party Integrations​

GitHub​

Slack​

Google Chat​

PagerDuty​

OVH​

Scaleway​

Confluence​

SharePoint​

Email (SMTP)​

Kubernetes & Pod Isolation​

Weaviate (Vector Database)​

MCP Server​

Rate Limiting​

Development​

Environment File Locations​

Docker Compose Files​