Skip to main content

Environment Variables

Server Configuration

VariableDefaultDescription
PORT4090HTTP server port. Must not fall within restricted range 30001–30005.
NODE_ENVproductionApplication environment (production, development, etc.)
DATA_DIR./db/dataDirectory for persistent data (database, SSL certs, encryption keys, OPKSSH binary)
LOG_LEVELinfoLogging verbosity (debug, info, warn, error)
LOG_TIMESTAMP_FORMATlocale formatTimestamp format for log output: 24h (e.g. 14:58:45), iso (e.g. 2026-04-25T14:58:45.000Z), or omit for locale format (e.g. 2:58:45 PM)

SSL/TLS Configuration

VariableDefaultDescription
ENABLE_SSLfalseEnable automatic SSL certificate generation. See SSL for details.
SSL_PORT8443HTTPS server port (only used when ENABLE_SSL=true)
SSL_CERT_PATH{DATA_DIR}/ssl/termix.crtPath to SSL certificate file
SSL_KEY_PATH{DATA_DIR}/ssl/termix.keyPath to SSL private key file
SSL_DOMAINlocalhostDomain name for SSL certificate generation

OIDC/OAuth Authentication

The normal way to add login providers is through Admin Settings, which supports OIDC, LDAP, GitHub, and Google providers side by side. See SSO Providers for that. The variables below are a fallback for setting up a single generic OIDC provider through environment variables instead, and they only take effect when no OIDC provider has been added in Admin Settings yet.

VariableDefaultDescription
OIDC_CLIENT_ID-OAuth provider client ID (required if using OIDC)
OIDC_CLIENT_SECRET-OAuth provider client secret (required if using OIDC)
OIDC_ISSUER_URL-OAuth provider issuer URL (e.g., https://accounts.google.com)
OIDC_AUTHORIZATION_URL-OAuth authorization endpoint URL
OIDC_TOKEN_URL-OAuth token endpoint URL
OIDC_USERINFO_URL""OAuth userinfo endpoint URL (optional)
OIDC_IDENTIFIER_PATHsubJSON path in userinfo response for user identifier
OIDC_NAME_PATHnameJSON path in userinfo response for display name
OIDC_SCOPESopenid email profileSpace-separated OAuth scopes to request
OIDC_ALLOWED_USERS""Comma-separated list of allowed user identifiers/email patterns. Use * for all users, @example.com for domain wildcards, or leave empty to allow all.
OIDC_ADMIN_GROUP""OIDC group name whose members are synced as Termix admins on each login. Requires group claims in the token (e.g. request the groups scope).
OIDC_GROUP_CLAIM""Path in the token where group membership lives, used to check OIDC_ADMIN_GROUP

Two more variables apply no matter which provider type or setup method you use:

VariableDefaultDescription
OIDC_FORCE_HTTPSfalseForce HTTPS for OIDC callback URLs (required if behind reverse proxy)
OIDC_ALLOW_REGISTRATIONfalseAllows user creation via OIDC, GitHub, or LDAP sign in even when general registration is disabled, while still enforcing each provider's allowed-users list

Database Configuration

VariableDefaultDescription
DB_FILE_ENCRYPTIONtrueEnable SQLite database file encryption

Guacamole Configuration

VariableDefaultDescription
ENABLE_GUACAMOLEtrueEnable/disable Guacamole remote desktop support (false to disable)
GUACD_HOSTlocalhostGuacamole daemon (guacd) hostname
GUACD_PORT4822Guacamole daemon (guacd) port

Docker Configuration

VariableDefaultDescription
PUID1000User ID to run the container process as
PGID1000Group ID to run the container process as

Proxy Configuration

VariableDefaultDescription
http_proxy / HTTP_PROXY-HTTP proxy URL for outbound HTTP connections
https_proxy / HTTPS_PROXY-HTTPS proxy URL for outbound HTTPS connections
no_proxy / NO_PROXY""Comma-separated hosts that should bypass proxy (e.g., localhost,127.0.0.1,.example.com)

Frontend Configuration

VariableDefaultDescription
VITE_BASE_PATH/Base path for the web application. See Reverse Proxy for details.

Notes

  • Auto-Generated Secrets: Security keys (JWT_SECRET, DATABASE_KEY, INTERNAL_AUTH_TOKEN) are automatically generated on first startup and stored in {DATA_DIR}/.env. Do not manually set these unless restoring from backup.
  • Environment File Locations:
    • Primary: .env in application root
    • Persistent: {DATA_DIR}/.env (auto-generated secrets stored here)