Configuration Reference
All configuration lives in /opt/tronexus/.env · File is chmod 600 — never commit it
Overview
The entire Tronexus stack is configured through a single .env file. The installer generates this file from your wizard answers, with secrets auto-generated. You can edit it manually at any time — restart the affected service afterwards.
cd /opt/tronexus
# Edit configuration
nano .env
# Restart all services
docker compose restart
# Restart a specific service
docker compose restart auth
Security: The .env file contains secrets. It is chmod 600 by default. Never commit it to version control. The .gitignore excludes it.
General
| Variable | Example | Description |
|---|
| TRONEXUS_DOMAIN | yourdomain.com | Base domain for all services. All subdomains derive from this value. |
| TZ | Europe/Amsterdam | Timezone used by n8n, monitoring, and log timestamps. Use tz database format. |
Postgres
| Variable | Example | Description |
|---|
| POSTGRES_USER | tronexus | Database superuser. Used by all services that connect to Postgres. |
| POSTGRES_PASSWORD | •••••••• | Database password. Use a strong random value. Auto-generated by installer. |
| POSTGRES_DB | tronexus | Default database name. Set automatically by installer. |
Multiple databases: Tronexus Auth creates its own auth database automatically on first start. You do not need to create it manually.
Auth API
| Variable | Default | Description |
|---|
| AUTH_GOOGLE_CLIENT_ID | — | Google OAuth client ID. From Google Cloud Console → APIs & Services → Credentials. |
| AUTH_GOOGLE_CLIENT_SECRET | — | Google OAuth client secret. |
| AUTH_JWT_SECRET | auto-generated | Secret used to sign JWT access tokens. Rotate only if you need to invalidate all sessions. |
| AUTH_JWT_ALGORITHM | HS256 | JWT signing algorithm. HS256 is recommended for self-hosted use. |
| AUTH_ACCESS_TOKEN_EXPIRE_MINUTES | 15 | Access token lifetime in minutes. Short is safer — clients should refresh proactively. |
| AUTH_REFRESH_TOKEN_EXPIRE_DAYS | 30 | Refresh token lifetime in days. Refresh tokens rotate on each use. |
| AUTH_API_BASE_URL | https://auth-api.yourdomain.com | Public base URL of the Auth API. Used to build OAuth redirect URIs. |
| AUTH_DB_NAME | auth | Postgres database name for the Auth API. Created automatically on first start. |
| AUTH_APP_ID | set by bootstrap | Default app UUID. Written to .env by the bootstrap script. |
| AUTH_RATE_LIMIT_WINDOW | 60 | Rate limiting window in seconds. |
| AUTH_RATE_LIMIT_MAX | 20 | Maximum requests per IP per window. |
| AUTH_LOCKOUT_ATTEMPTS | 10 | Number of rate limit violations before IP lockout. |
| AUTH_LOCKOUT_SECONDS | 900 | IP lockout duration in seconds (15 minutes). |
Redis
| Variable | Default | Description |
|---|
| REDIS_HOST | tronexus-redis | Redis hostname. Resolves via Docker network. Do not change unless running Redis externally. |
| REDIS_PORT | 6379 | Redis port. Default is standard Redis port. |
Redis is internal-only. No external port is exposed. It stores rate limiting counters and OAuth state tokens with TTLs.
Ollama
| Variable | Default | Description |
|---|
| OLLAMA_REMOTE | false | Set to true to disable the local Ollama container and use a remote inference server instead. |
| OLLAMA_REMOTE_URL | — | URL of the remote Ollama instance (e.g. http://192.168.1.x:11434). Only used when OLLAMA_REMOTE=true. |
| OLLAMA_DEFAULT_MODEL | mistral:7b-instruct-q4_K_M | Default model for the monitoring script's AI summary. Must be pulled first. |
LiteLLM
| Variable | Default | Description |
|---|
| LITELLM_MASTER_KEY | auto-generated | Master API key for LiteLLM. Used by Open WebUI and other services to authenticate with the proxy. |
| OPENAI_API_KEY | — | Optional. Enables routing to OpenAI models via LiteLLM. |
| ANTHROPIC_API_KEY | — | Optional. Enables routing to Anthropic Claude models. |
| AWS_ACCESS_KEY_ID | — | Optional. For AWS Bedrock model access. |
| AWS_SECRET_ACCESS_KEY | — | Optional. For AWS Bedrock model access. |
Open WebUI
| Variable | Default | Description |
|---|
| WEBUI_SECRET_KEY | auto-generated | Secret key for Open WebUI session signing. Changing this invalidates all active sessions. |
n8n
| Variable | Default | Description |
|---|
| N8N_ENCRYPTION_KEY | auto-generated | Key used to encrypt stored credentials in n8n. Do not change after initial setup — it will break existing credentials. |
| N8N_BASIC_AUTH_ACTIVE | false | Enable HTTP basic auth on the n8n UI. Set to true if you need additional access control. |
| N8N_BASIC_AUTH_USER | admin | Username for n8n basic auth. |
| N8N_BASIC_AUTH_PASSWORD | — | Password for n8n basic auth. |
pgAdmin
| Variable | Example | Description |
|---|
| PGADMIN_DEFAULT_EMAIL | [email protected] | Login email for the pgAdmin web interface. |
| PGADMIN_DEFAULT_PASSWORD | auto-generated | Login password for pgAdmin. |
Monitoring
| Variable | Example | Description |
|---|
| TELEGRAM_BOT_TOKEN | 1234567890:AAF... | Bot token from @BotFather on Telegram. Required for monitoring alerts. |
| TELEGRAM_CHAT_ID | 123456789 | Your Telegram chat ID. Get it from @userinfobot. |
| INFERENCE_HOST | 192.168.1.x | IP of remote inference server. Used by monitoring for health checks. |
The monitoring script runs daily at 18:00 via cron and sends a Telegram message with an AI-generated summary of server health. To change the schedule:
crontab -e
# Change: 0 18 * * * to your preferred schedule
Adding Models to LiteLLM
Edit /opt/tronexus/litellm/config.yaml to add models:
model_list:
# Local Ollama model
- model_name: mistral
litellm_params:
model: ollama/mistral:7b-instruct-q4_K_M
api_base: http://tronexus-ollama:11434
# OpenAI (requires OPENAI_API_KEY in .env)
- model_name: gpt-4o
litellm_params:
model: gpt-4o
api_key: os.environ/OPENAI_API_KEY
# Anthropic Claude (requires ANTHROPIC_API_KEY in .env)
- model_name: claude-sonnet
litellm_params:
model: anthropic/claude-sonnet-4-20250514
api_key: os.environ/ANTHROPIC_API_KEY
After editing, restart LiteLLM:
cd /opt/tronexus && docker compose restart litellm