Configuration¶
OpenWatch follows a 12-factor approach: everything is configured through environment variables, read from your .env file. This page lists the variables that matter for a self-hosted deployment. Start from .env.example, which ships with sensible defaults and inline comments.
Required¶
| Variable | Purpose |
|---|---|
SECRET_KEY |
Flask signing key for sessions and CSRF tokens. Generate with python3 -c "import secrets; print(secrets.token_hex(32))". |
MASTER_KEY |
Fernet key used to encrypt stored credentials at rest. Generate with python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())". |
DATABASE_URL |
PostgreSQL connection string, for example postgresql://explorer:explorer@db:5432/openwatch. With the bundled compose file the host is the db service. |
FLOWER_PASSWORD |
Basic-auth password for the Flower dashboard. The compose file refuses to start Flower without it. |
MASTER_KEY is unrecoverable if lost
Every *_cipher value (OpenStack passwords, SMTP passwords, OAuth and OIDC secrets, TOTP secrets, and more) is encrypted with MASTER_KEY. If you lose it, those values cannot be decrypted and must be re-entered. Back it up securely and do not rotate it casually.
Common¶
| Variable | Default | Purpose |
|---|---|---|
TALISMAN_FORCE_HTTPS |
false |
Set to true in production behind an HTTPS reverse proxy. Leave false for local HTTP. |
OPENSTACK_CACHE_TTL |
300 |
Seconds a cost-cache entry stays fresh before a background refresh. |
ALERT_CHECK_INTERVAL |
300 |
Seconds between cost-alert evaluations. |
DATA_REFRESH_INTERVAL |
3600 |
Seconds between full background refreshes of all projects. |
CELERY_BROKER_URL |
redis://redis:6379/0 |
Redis broker for the Celery task queue. |
CELERY_RESULT_BACKEND |
redis://redis:6379/0 |
Redis backend for task results. |
RATELIMIT_STORAGE_URI |
redis://redis:6379/1 |
Redis store for rate-limit counters (uses DB 1 to avoid clashing with Celery on DB 0). |
FLOWER_USER |
admin |
Basic-auth user for the Flower dashboard. |
Edition and licensing¶
| Variable | Purpose |
|---|---|
OPENWATCH_EDITION |
Build-time argument (community, enterprise, or saas) baked into the image. It cannot be overridden at runtime. See Editions and plan limits. |
LICENSE_KEY |
Enterprise only. The signed Ed25519 licence that unlocks your plan limits. Without it, an Enterprise image falls back to the essential plan. |
Admin console¶
The super-admin console runs as a separate container for isolation.
| Variable | Purpose |
|---|---|
ADMIN_SECRET_KEY |
Distinct signing key for the admin console sessions and CSRF, so a stolen main-app session can never authenticate there. Set it in production; if unset, the console falls back to SECRET_KEY and is no longer isolated. |
ADMIN_DATABASE_URL |
Optional. A least-privilege PostgreSQL role for the admin console. When set, the console connects with it instead of the full-privilege main DSN. |
At-rest encryption provider¶
By default OpenWatch encrypts with the local MASTER_KEY (the fernet provider). It can optionally use HashiCorp Vault Transit instead.
| Variable | Purpose |
|---|---|
CRYPTO_PROVIDER |
fernet or vault. Leave empty to auto-derive (vault when VAULT_ADDR is set, otherwise fernet). |
VAULT_ADDR, VAULT_TRANSIT_MOUNT, VAULT_TRANSIT_KEY |
Vault Transit endpoint and key, when using the vault provider. |
VAULT_TOKEN or VAULT_ROLE_ID + VAULT_SECRET_ID |
Vault authentication: a static token for development, or an AppRole for production. |
Most deployments use Fernet
Vault is optional and aimed at deployments that want encrypt and decrypt to happen server-side. If you are not sure, leave the Vault variables empty and use MASTER_KEY.
OAuth, OIDC and Turnstile¶
These are configured through the web interface, not environment variables:
- Google and Microsoft sign-in: set in the super-admin site settings.
- Per-organisation OIDC: set by an org admin under Single sign-on.
- Turnstile (bot protection) keys: set in site settings.
Database migrations¶
Schema migrations run automatically when the stack starts, before the app serves requests, so a running deployment never sees a stale schema. You do not run migrations by hand for a normal upgrade; pull the new image, rebuild, and start.
SMTP (outgoing email)¶
Email delivery (verification, invitations, alerts by email) is configured in the app: globally in the super-admin site settings, or per organisation by an org admin. Passwords entered there are encrypted at rest with the active provider.