Skip to content

Configuration Reference

Every variable lives in .env.example at the repository root — copy it to .env (git-ignored) and fill in real values. No secret has a default; every service fails fast at startup if a required variable is missing. .env is never committed, and secrets are never hardcoded in source — libs/securelog also redacts password/secret/token/vault/ authorization fields from all structured logs regardless.

Database

Single engine for the whole stack — choose one option and set DB_HOST accordingly (don't mix them):

  • Shared Zabbix DB serverDB_HOST=<your Zabbix server IP>, DB_PORT=5432, DB_SSLMODE=require, then run ops/init-db.sh to create the seyalrun_* databases on that server.
  • Dedicated separate DB server — same as above but pointed at its own host.
  • Containerized (default for staging/local dev) — DB_HOST=postgres, DB_SSLMODE=disable, docker compose -f docker-compose.yml -f docker-compose.db.yml --profile postgres-db up -d.
VariablePurpose
DB_ENGINEpostgres or mysql
DB_HOST / DB_PORT / DB_USER / DB_PASSWORDConnection details — single engine shared by seyalrun_identity and seyalrun_inventory
DB_SSLMODEdisable / require / verify-full (postgres); disable / required (mysql)
IDENTITY_DB_NAME, INVENTORY_DB_NAME, TERMINAL_DB_NAME, AUTOMATION_DB_NAMEDatabase names per service

Redis

VariablePurpose
REDIS_URLBacks api-gateway's per-IP/user rate limiting. Use rediss:// for TLS if Redis isn't co-located.

Auth / tokens

Client sessions are opaque, server-side (Redis) — not a JWT the browser can decode. JWT_SECRET/JWT_ALGORITHM sign only the short-lived Zabbix link-token and MFA credential-reveal token (identity-service internal use).

VariablePurpose
JWT_SECRETLink-token / credential-reveal token signing key
JWT_ALGORITHMDefaults to HS256
SESSION_IDLE_MINUTESSession dies if idle this long (default 30)
SESSION_ABSOLUTE_HOURSSession dies at this age regardless of activity (default 8)
SERVICE_JWT_SECRETService-to-service X-Service-Token signing key (all services)
API_TOKEN_PEPPERExtra pepper for hashing Personal Access Tokens

Credential vault (inventory-service)

VariablePurpose
ZA_VAULT_PASSWORDAES-256-GCM credential encryption master key (≥ 32 chars)
ZA_VAULT_SALTGenerate once: openssl rand -hex 16
SSH_KNOWN_HOSTS_PATHSSH host-key verification for outbound connections (terminal + automation). Empty = no verification (logs a warning); set to a known_hosts file path to enforce strict host-key checking and mitigate MITM.

Zabbix integration

VariablePurpose
ZABBIX_API_URL / ZABBIX_API_TOKENUsed for event acknowledgement
ZABBIX_WEBHOOK_HMAC_SECRETRequired. HMAC key for the /webhook/zabbix receiver — it bypasses api-gateway, so this is its only auth. zabbix-integration-service refuses to start if unset. Generate: openssl rand -hex 32
ZABBIX_MODULE_SECRETOnly needed if the Zabbix frontend module is installed; leave blank otherwise (/auth/zbx-sso-init 503s). Must match module_secret in the module's own config.php exactly.
ZABBIX_CONSOLE_URLe.g. https://zabbix.example.com — included in job result messages

api-gateway

VariablePurpose
FRONTEND_ORIGINCORS allow-origin — must match the URL you browse to
RATE_LIMIT_REQUESTS / RATE_LIMIT_WINDOW_SECONDSDefaults 100 requests / 60 seconds

edge-proxy (TLS termination — the only host-published service)

VariablePurpose
TLS_CERT_PATH / TLS_KEY_PATHHost paths to cert/key, bind-mounted (Let's Encrypt or internal CA)
EDGE_HTTP_PORT / EDGE_HTTPS_PORTDefaults 8080 / 8443
FRAME_ANCESTORSExtra origins allowed to iframe SeyalRun. Header is always frame-ancestors 'self' <this> — leave blank for same-origin-only. To embed in Zabbix, set to the Zabbix origin as an unquoted host source, e.g. https://zabbix.example.com. Never set to * — that allows any site to frame the PAM console (clickjacking).

Self-monitoring (agentless, HTTP)

No extra env vars beyond ZABBIX_WEBHOOK_HMAC_SECRET above — Zabbix polls GET https://<edge-host>:<EDGE_HTTPS_PORT>/webhook/zabbix/monitor with header X-Monitor-Token: <ZABBIX_WEBHOOK_HMAC_SECRET>. See Self-Monitoring.

Identity seed

VariablePurpose
SEED_ADMIN_USERNAMEDefault Admin
SEED_ADMIN_PASSWORDLeave blank to auto-generate; the seeded password is otherwise always seyalrun if left as the literal default — first login requires a password change before anything else works.

Housekeeping / retention

VariablePurpose
AUDIT_LOG_RETENTION_DAYSDefault 180
RECORDING_RETENTION_DAYSDefault 90
TERMINAL_RECORDING_MAX_FRAMESMax frames retained per session recording in memory, oldest dropped first (default 20000)
TERMINAL_POLICY_REFRESH_SECONDSSeconds between command-filter/login-ACL cache refreshes in active sessions (default 60)

Automation / job execution

VariablePurpose
JOB_EXEC_TIMEOUT_SECONDSMaximum wall-clock time per job run (default 3600)
MAX_OUTPUT_LINESoutput_lines cap per job run — oldest lines dropped when exceeded (default 500)

Password strength / rotation

VariablePurpose
WEAK_CREDENTIAL_THRESHOLDzxcvbn score below this = weak (default 2)
ROTATION_DEFAULT_DAYSDefault 90

Recording tiering

VariablePurpose
RECORDING_TIER_AFTER_DAYSMove local recordings to S3 after N days (default 7)

Centralized log backend

Backend + secrets are managed at runtime in Admin → Log Backend, stored vault-encrypted in the database. These env vars are optional fallbacks, consumed only by the automation housekeeping ES-rollover job:

VariablePurpose
ES_URL / ES_INDEX_PREFIXElasticsearch backend (prefix default seyalrun)
S3_BUCKET / S3_REGION / S3_ACCESS_KEY_ID / S3_SECRET_ACCESS_KEY / S3_ENDPOINT_URLS3-compatible backend; leave S3_ENDPOINT_URL blank for AWS, set it for MinIO/compatible

Logging

VariablePurpose
LOG_LEVELDefault INFO

Secure. Controlled. Automated. — Released under the Apache License 2.0.