Configuration
Complete environment variable reference for self-hosted Openfuse deployments. Covers platform settings, database, authentication, SMTP, and social login.
All configuration is done through environment variables. In Docker Compose deployments, set them in the .env file. In orchestrated deployments, use your platform's secret manager and environment configuration.
Platform
| Variable | Required | Default | Description |
|---|---|---|---|
ROOT_DOMAIN | Yes | — | Root domain for the platform. All subdomains are derived from this. |
OPENFUSE_VERSION | No | latest | Docker image version tag. Always pin to a specific version in production. |
Derived URLs
From ROOT_DOMAIN, the platform automatically configures:
- API:
*.api.<ROOT_DOMAIN>(e.g.,admin.api.example.com,acme.api.example.com) - SSO:
sso.<ROOT_DOMAIN>(Keycloak login pages) - UI:
<ROOT_DOMAIN>,app.<ROOT_DOMAIN>,<company>.<ROOT_DOMAIN>
Database
| Variable | Required | Default | Description |
|---|---|---|---|
DATABASE_HOST | No | db | PostgreSQL host. Change when using an external database. |
DATABASE_PORT | No | 5432 | PostgreSQL port. |
DATABASE_USER | Yes | — | Database username. |
DATABASE_PASSWORD | Yes | — | Database password. |
DATABASE_NAME | No | openfuse | Database name for the API. |
DATABASE_SSL | No | false | Enable SSL for database connections. Set true for managed databases. |
KC_DB_NAME | No | keycloak | Database name for Keycloak. |
KC_DB_HOST | No | Same as DATABASE_HOST | Separate host for Keycloak's database, if needed. |
KC_DB_USERNAME | No | Same as DATABASE_USER | Separate username for Keycloak's database. |
KC_DB_PASSWORD | No | Same as DATABASE_PASSWORD | Separate password for Keycloak's database. |
Using an external database
By default, Openfuse bundles a PostgreSQL container. For production, use a managed database service (Amazon RDS, Google Cloud SQL, Azure Database for PostgreSQL).
- Create two databases on your PostgreSQL server:
openfuseandkeycloak - Remove the bundled database profile in
.env:#COMPOSE_PROFILES=bundled-db - Set the connection variables:
DATABASE_HOST=your-rds-endpoint.amazonaws.com DATABASE_PORT=5432 DATABASE_USER=openfuse DATABASE_PASSWORD=your-password DATABASE_SSL=true # If Keycloak uses the same server (recommended): KC_DB_HOST=your-rds-endpoint.amazonaws.com KC_DB_USERNAME=openfuse KC_DB_PASSWORD=your-password
The database user must have permission to create schemas and tables in the openfuse database. The API creates the meta schema on first run — no additional SQL setup needed.
SSL for managed databases
The API uses DATABASE_SSL=true to enable SSL. Keycloak uses JDBC, where SSL is configured in the connection URL. For manual setup with SSL, set KC_DB_URL:
KC_DB_URL=jdbc:postgresql://your-host:5432/keycloak?sslmode=requireCommon sslmode values: require (encrypted, no cert verification), verify-ca, verify-full.
API / Sessions
| Variable | Required | Default | Description |
|---|---|---|---|
SESSION_SECRET | Yes | — | 32+ character secret for session encryption. Generate with openssl rand -hex 32. Must be identical across all API replicas. |
Keycloak
Openfuse uses Keycloak for authentication.
| Variable | Required | Default | Description |
|---|---|---|---|
KC_BOOTSTRAP_ADMIN_USERNAME | No | admin | Keycloak admin console username. |
KC_BOOTSTRAP_ADMIN_PASSWORD | Yes | — | Keycloak admin console password. |
KC_STAFF_REALM_NAME | No | openfuse-staff | Staff realm name. |
KC_TENANTS_REALM_NAME | No | openfuse-tenants | Tenants realm name. |
Client secrets
Each Keycloak client requires a unique secret. Generate with openssl rand -hex 24.
| Variable | Required | Description |
|---|---|---|
KC_STAFF_BACKEND_CLIENT_SECRET | Yes | Staff backend client. |
KC_STAFF_BFF_CLIENT_SECRET | Yes | Staff backend-for-frontend client. |
KC_TENANTS_BACKEND_CLIENT_SECRET | Yes | Tenants backend client. |
KC_TENANTS_BFF_CLIENT_SECRET | Yes | Tenants backend-for-frontend client. |
KC_TENANTS_SDK_CLIENT_SECRET | Yes | SDK authentication client. |
Root user
| Variable | Required | Description |
|---|---|---|
ROOT_USER_EMAIL | Yes | Email for the first admin user. |
ROOT_USER_PASSWORD | Yes | Password — min 12 characters, at least 1 uppercase, 1 digit, 1 special character. |
Email (SMTP)
SMTP is optional. Without it, the platform works but team invites and password reset emails won't be sent. Configure it for production use.
| Variable | Required | Default | Description |
|---|---|---|---|
SMTP_HOST | No | — | SMTP server hostname. Omit to disable emails. |
SMTP_PORT | No | 587 | SMTP server port. |
SMTP_SECURE | No | false | Use TLS for SMTP (true for port 465). |
SMTP_USER | No | — | SMTP username. |
SMTP_PASSWORD | No | — | SMTP password. |
SMTP_FROM_DOMAIN | No | ROOT_DOMAIN | Domain used in "from" email addresses. |
SMTP_FROM_NAME | No | Openfuse | Display name for sent emails. |
Social login
Social login providers are disabled by default. Enable by setting the _ENABLED flag and providing OAuth credentials.
| Variable | Default | Description |
|---|---|---|
KC_GOOGLE_ENABLED | false | Enable Google OAuth login. |
KC_GOOGLE_CLIENT_ID | — | Google OAuth client ID. |
KC_GOOGLE_CLIENT_SECRET | — | Google OAuth client secret. |
KC_MICROSOFT_ENABLED | false | Enable Microsoft OAuth login. |
KC_MICROSOFT_CLIENT_ID | — | Microsoft OAuth client ID. |
KC_MICROSOFT_CLIENT_SECRET | — | Microsoft OAuth client secret. |
KC_GITHUB_ENABLED | false | Enable GitHub OAuth login. |
KC_GITHUB_CLIENT_ID | — | GitHub OAuth client ID. |
KC_GITHUB_CLIENT_SECRET | — | GitHub OAuth client secret. |
Logging
| Variable | Default | Description |
|---|---|---|
LOG_LEVEL | info | API log level (debug, info, warn, error). |
Orchestrator-specific variables
These variables are set automatically by the Docker Compose files. In orchestrated deployments (Kubernetes, ECS, Cloud Run), you need to set them explicitly. See the platform guides (Kubernetes, AWS ECS, Cloud Run, Azure Container Apps) for details.
API
| Variable | Required | Example | Description |
|---|---|---|---|
API_PORT | No | 3000 | API listen port. |
API_BASE_URL | Yes | https://admin.api.example.com | Admin API base URL. |
SSO_BASE_URL | Yes | https://sso.api.example.com | BFF auth callback URL (API subdomain, not Keycloak URL). |
COOKIE_DOMAIN | Yes | .example.com | Cookie domain (note leading dot). |
KEYCLOAK_URL | Yes | http://keycloak:8080 | Internal Keycloak URL. |
KEYCLOAK_EXTERNAL_URL | Yes | https://sso.example.com | Public Keycloak URL. |
STAFF_FRONTEND_BASE_URL | Yes | https://staff.example.com | Staff frontend URL. |
TENANTS_FRONTEND_BASE_URL | Yes | https://example.com | Tenants frontend URL. |
ALLOW_DEV_HOSTS | No | false | Allow dev-friendly CORS origins (localhost, lvh.me). Only for testing. |
Keycloak
| Variable | Required | Example | Description |
|---|---|---|---|
KC_DB | Yes | postgres | Database type. |
KC_DB_URL | Yes | jdbc:postgresql://host:5432/keycloak | JDBC connection URL. |
KC_DB_USERNAME | Yes | openfuse | Database username. |
KC_DB_PASSWORD | Yes | — | Database password. |
KC_HOSTNAME | Yes | sso.example.com | Public hostname. |
KC_PROXY_HEADERS | Yes | xforwarded | Set when behind a load balancer. |
KC_HTTP_ENABLED | No | true | Enable HTTP (TLS terminated at LB). |
KC_HEALTH_ENABLED | No | true | Enable health endpoint on port 9000. |
Config Importer
The ghcr.io/openfuseio/openfuse-config-importer image has realm YAML files baked in — no file mounting needed. Set the environment variables and run as a one-time task.
| Variable | Required | Default | Description |
|---|---|---|---|
KEYCLOAK_URL | Yes | — | Internal Keycloak URL. |
KEYCLOAK_USER | Yes | — | Keycloak admin username. |
KEYCLOAK_PASSWORD | Yes | — | Keycloak admin password. |
KEYCLOAK_AVAILABILITYCHECK_ENABLED | No | true | Wait for Keycloak to be ready before importing. |
KEYCLOAK_AVAILABILITYCHECK_TIMEOUT | No | 120s | Max wait time for Keycloak. |
IMPORT_FILES_LOCATIONS | No | /config/* | Path to realm configuration files. The Docker image has them baked in at /config/. |
IMPORT_VARSUBSTITUTION_ENABLED | Yes | — | Set to true. |
IMPORT_VARSUBSTITUTION_UNDEFINEDISTERROR | Yes | — | Set to true. |
SSO_API_BASE_URL | Yes | — | BFF auth callback base URL (e.g., https://sso.api.example.com). |
STAFF_FRONTEND_BASE_URL | Yes | — | Staff frontend URL. |
TENANTS_FRONTEND_BASE_URL | Yes | — | Tenants frontend URL. |
TENANTS_FRONTEND_APP_URL | Yes | — | Tenants app URL (e.g., https://app.example.com). |
The Config Importer also requires all five KC_*_CLIENT_SECRET variables and the SMTP variables (set SMTP_HOST=disabled to skip email configuration).
UI
| Variable | Required | Description |
|---|---|---|
VITE_API_BASE_HOST | Yes | API hostname (e.g., api.example.com). |
VITE_API_PROTOCOL | No | https |
VITE_APP_ENV | No | production |
VITE_UI_BASE_HOST | Yes | UI hostname (e.g., example.com). |
VITE_UI_PROTOCOL | No | https |
Secrets management
For production, store secrets in your platform's secret manager instead of .env files.
| Secret | Services that need it |
|---|---|
| Database credentials | API, Keycloak |
SESSION_SECRET | API |
KC_BOOTSTRAP_ADMIN_PASSWORD | Keycloak, Config Importer |
KC_*_CLIENT_SECRET (5 secrets) | API, Config Importer |
| SMTP credentials | API, Config Importer |
ROOT_USER_PASSWORD | API |
Generate all secrets with openssl rand -hex <length> — use 24 for client secrets, 32 for session secret.
Azure Container Apps
Deploy Openfuse on Azure Container Apps with Azure Database for PostgreSQL, Key Vault for secrets, and hostname-based routing via custom domains.
Upgrading
How to upgrade a self-hosted Openfuse deployment to a new version, including backup procedures, the upgrade process, and rollback steps.