DocsChangelog

Environment Variables

Configure your Penombre instance with environment variables.

See .example.env for a complete reference.

Core

General application settings that control the runtime identity, environment mode, and logging behavior.

ORIGIN must be set to the public URL where your instance is accessible. It is used to generate absolute URLs in OAuth callbacks and email links. In development this is typically http://localhost:3000.

VariableDescriptionDefault
APP_NAMEApplication name (used in UI and emails)Penombre
APP_VERSIONApplication version (used in metadata)/
APP_ENVEnvironment (dev/production)production
ORIGINPublic origin URL (used for OAuth callbacks)http://localhost:3000
LOG_LEVELdebug, info, warn, error, traceinfo
LOG_FORMATconsole or jsonconsole

Database

Penombre requires a PostgreSQL database. Provide a standard connection string including credentials, host, port, and database name.

VariableDescriptionDefault
DATABASE_URLPostgreSQL connection stringRequired

Initial Setup

These variables are only used during the first-time database seed to create the initial admin account. They have no effect after the database has been initialized and can be removed from your environment afterwards.

VariableDescriptionDefault
ADMIN_EMAILInitial admin account emailRequired
ADMIN_PASSWORDInitial admin account passwordRequired

Authentication

Controls how users authenticate. AUTH_SECRET must be a long, random string — you can generate one with openssl rand -hex 32. Keep it secret and do not rotate it without invalidating all existing sessions.

VariableDescriptionDefault
AUTH_SECRETSecret key for signing auth tokensRequired
ENABLE_EMAIL_SIGNINEnable email/password sign-intrue
ENABLE_OAUTH_SIGNINEnable OAuth sign-infalse
MIN_PASSWORD_LENGTHMinimum password length8

OAuth Providers (Optional)

Penombre supports any OIDC-compliant provider. Enable OAuth sign-in by setting ENABLE_OAUTH_SIGNIN=true and configuring at least one provider using the naming pattern OAUTH_<PROVIDER>_<SETTING>, where <PROVIDER> is an uppercase identifier of your choice (e.g. GOOGLE, GITHUB, POCKET_ID).

VariableDescriptionDefault
OAUTH_<PROVIDER>_ENABLEDEnable this providertrue
OAUTH_<PROVIDER>_CLIENT_IDOAuth client IDRequired
OAUTH_<PROVIDER>_CLIENT_SECRETOAuth client secretRequired
OAUTH_<PROVIDER>_DISCOVERY_URLOIDC discovery URLRequired
OAUTH_<PROVIDER>_PRETTY_NAMEDisplay name in the UIProvider name
OAUTH_<PROVIDER>_PKCEUse PKCEtrue
OAUTH_<PROVIDER>_SCOPESComma-separated scopesopenid,profile,email

Redis (Optional)

Penombre includes an in-memory cache for file listings and metadata. By default, each app instance maintains its own cache in-process. To share the cache across multiple instances or preserve it across restarts, you can connect an external Redis server.

When REDIS_URL is set, all caching is offloaded to Redis. When it is not set, caching falls back to an in-process memory cache (production) or is disabled entirely (development).

VariableDescriptionDefault
REDIS_URLRedis connection string/

SMTP (Optional)

Required for email features such as password reset and email verification. Set SMTP_ENABLED=true and provide the connection details for your mail server. If SMTP is disabled, email-dependent features will be unavailable.

VariableDescriptionDefault
SMTP_ENABLEDEnable SMTPfalse
SMTP_HOSTSMTP server hostnameRequired if enabled
SMTP_PORTSMTP server port587
SMTP_USERSMTP usernameRequired if enabled
SMTP_PASSWORDSMTP passwordRequired if enabled
SMTP_FROMSender email addressRequired if enabled
SMTP_SECUREUse TLS (true/false)false

Storage

Controls where uploaded files are stored. The default local backend stores files on the host filesystem. Set STORAGE_BACKEND=s3 to use any S3-compatible service instead. See Storage for a full setup guide.

VariableDescriptionDefault
STORAGE_BACKENDlocal or s3local
STORAGE_PATHLocal filesystem path (local backend only)/data/storage
S3_BUCKETBucket name (S3 backend only)Required
S3_ACCESS_KEY_IDAccess key ID (S3 backend only)Required
S3_SECRET_ACCESS_KEYSecret access key (S3 backend only)Required
S3_ENDPOINTCustom endpoint URL (non-AWS providers)/
S3_REGIONBucket regionus-east-1
S3_PATH_STYLEUse path-style URLs (true/false)false

Found an issue or want to contribute? Edit this page on GitHub

Getting Started

Spin up a Penombre instance in minutes with Docker Compose

Deployment

Deploy Penombre to production with Docker.

On this page

CoreDatabaseInitial SetupAuthenticationOAuth Providers (Optional)Redis (Optional)SMTP (Optional)Storage