Environment variables
Configuration for DeployDock is driven by environment variables consumed by apps/api (NestJS) and apps/worker (BullMQ). Local defaults live in apps/api/.env.example in your deploy-dock source checkout.
In this page
API (apps/api)
| Variable | Required | Default (example) | Purpose |
|---|---|---|---|
DATABASE_URL | Yes | postgresql://panel:panel@127.0.0.1:5432/panel | PostgreSQL connection string for Prisma. |
REDIS_HOST | For queue | 127.0.0.1 | Redis host for BullMQ when the queue module is loaded. |
REDIS_PORT | For queue | 6379 | Redis port. |
JWT_ACCESS_SECRET | Yes | change-me-to-long-random | Secret used to sign JWT access tokens. Use a long random value in production. |
JWT_ACCESS_TTL | No | 15m | Access token lifetime (string parsed by the auth layer). |
PANEL_SECRETS_KEY | Yes | change-me-32-byte-or-longer-secret | Key material for AES-256-GCM encryption of sensitive values (e.g. database user passwords at rest). |
PANEL_WEB_ORIGIN | Yes (CORS) | http://127.0.0.1:5173 | Allowed browser origin(s) for CORS; in prod Docker samples use http://localhost:8080. Comma-separated list is supported in code. |
PANEL_API_PORT | No | 4000 | HTTP listen port for the API process. |
PANEL_DRY_RUN | No | 0 | When 1, runtime adapters avoid destructive OS mutations (useful for demos; worker compose often sets 1). |
PANEL_DISABLE_QUEUE | No | 0 | When 1, the BullMQ panel queue module is not loaded. Application create/deploy then call finishDeployLocal on the API (marks deployment success without running the worker pipeline). |
PANEL_APPS_ROOT | No | /var/www/deploy-dock-apps | Base path used when computing per-application installPath ({root}/{serverId}/{slugified-name}). |
PANEL_FILES_ROOT | No | /var/www | Documented default for file-manager roots in .env.example (behavior depends on files service implementation). |
Secrets (JWT_ACCESS_SECRET, PANEL_SECRETS_KEY) should be rotated on a schedule that matches your policy. Never commit real .env files.
Worker (apps/worker)
The worker reads the following from the environment (see apps/worker/src/main.ts):
| Variable | Required | Default | Purpose |
|---|---|---|---|
DATABASE_URL | Yes | (set in Compose) | Prisma access to the same database as the API. |
REDIS_HOST | Yes | 127.0.0.1 | BullMQ Redis host. |
REDIS_PORT | No | 6379 | BullMQ Redis port. |
REDIS_PASSWORD | No | unset | Optional Redis password passed to BullMQ connection. |
PANEL_DRY_RUN | No | 0 | Passed into adapter context as dryRun for provision/build/start steps. |
The API does not list REDIS_PASSWORD in .env.example; add it when your Redis instance requires auth.
Docker Compose overrides
- Dev stack (
deploy/docker/docker-compose.yml): setsDATABASE_URL,REDIS_*,JWT_ACCESS_SECRET,PANEL_SECRETS_KEY,PANEL_WEB_ORIGIN,PANEL_DISABLE_QUEUEforapi; worker getsPANEL_DRY_RUN=1by default. - Prod-style stack (
deploy/docker/docker-compose.prod.yml): supports shell defaults forJWT_ACCESS_SECRET,PANEL_SECRETS_KEY,PANEL_WEB_ORIGIN,PANEL_DRY_RUNvia${VAR:-default}patterns in the compose file.
Security notes
From the monorepo README: database user secrets at rest use AES-256-GCM via PANEL_SECRETS_KEY. OS-level operations are intended to go through allowlisted commands in @deploydock/command-runner. Prefer PANEL_DRY_RUN=1 when demonstrating the stack without mutating the host.
For the canonical list of keys as checked into the repo, open deploy-dock/apps/api/.env.example.