Environment variables
This is the complete reference. For most installs you only set a handful (see Docker Compose or Helm); everything else has a working default.
How configuration is supplied
edgentia reads configuration the standard .NET way. A double underscore maps to
a config-section separator: Section__Key (env) → Section:Key (config). Arrays are
indexed: Cors__AllowedOrigins__0. Throughout this page the config key
(Auth:Authority) and its env form (Auth__Authority) are interchangeable.
There are three layers:
- Environment variables — the production mechanism (below).
appsettings.json— ships safe defaults only; never put secrets here.- Database-backed settings — secrets like broker passwords, the bring-your-own time-series DB connection, LLM API keys and email credentials are not env vars. A platform admin enters them in the UI and they're AES-256-GCM encrypted at rest (see In-app settings).
The Docker Compose
.envuses friendly names (SECURITY_ENCRYPTION_KEY,ENTRA_TENANT_ID,POSTGRES_*) that the compose file maps to theSection__Keyform. A non-Compose deployment (Helm/bare metal) sets theSection__Keyform directly — the Helm chart does this for you from its values.
Mandatory
| Config key (env form) | Notes |
|---|---|
Security:EncryptionKey (Security__EncryptionKey) | 32-byte base64 (openssl rand -base64 32). The app refuses to start without it — it protects broker/data-store/LLM/email secrets at rest. |
Persistence:Provider (Persistence__Provider) | Set to Postgres for a real install. The default InMemory loses all data on restart. |
ConnectionStrings:Postgres (ConnectionStrings__Postgres) | The platform/control-plane database. Required when the provider is Postgres. |
ASPNETCORE_ENVIRONMENT | Production (the published image's default, and required by it). |
Plus one authentication option — see Microsoft Entra ID or Keycloak.
Optional (with defaults)
App & CORS
| Key | Default | Purpose |
|---|---|---|
App:BaseUrl (App__BaseUrl) | — | Public SPA URL for absolute "Open in edgentia" links in email. Strongly recommended. |
Cors:AllowedOrigins:0 (Cors__AllowedOrigins__0, …) | — | Allowed browser origins. Empty + Production ⇒ none, so set your SPA URL. |
Licensing
| Key | Default | Purpose |
|---|---|---|
EDGENTIA_LICENSE | — | Inline signed .elic installed at first boot (air-gapped). |
EDGENTIA_LICENSE_FILE | — | Path to a mounted .elic (used when the inline var is unset). |
License:CheckInUrl (License__CheckInUrl) | — | Optional HTTPS issuer heartbeat (renewal/revocation). No-op when unset (pure offline). |
License:CheckInIntervalHours | 6 | Heartbeat period when a check-in URL is set. |
Install your license in the UI (Settings → License) or with the vars above.
Runtime pipeline (Runtime:*)
| Key | Default | Purpose |
|---|---|---|
Runtime:SeedDemoData | true | Seed a demo workspace at startup. Real installs set false (start empty). |
Runtime:ChannelCapacity | 10000 | Bounded capacity per inter-stage channel (backpressure point). |
Runtime:EnableMqttBrokers | true | Connect to each workspace's enabled broker connections. |
Runtime:RetentionSweepMinutes | 60 | How often to prune samples past retention. |
Runtime:IngestRootSlug | ingest | ISA-95 root for auto-mapped live topics. |
Runtime:IngestBatchSize | 500 | Max samples per bulk write. |
Auth knobs (mode-specific vars are on the auth pages)
| Key | Default | Purpose |
|---|---|---|
Auth:Mode (Auth__Mode) | Keycloak | Entra selects Entra; anything else is Keycloak. |
Auth:RequireHttpsMetadata | true | false only for plain-HTTP IdP metadata (e.g. in-cluster Keycloak). |
Auth:ManagementLevel | 1 | Seeds the user-management level on a fresh DB only (1 = directory + verified members; 2 = + in-app invites, Keycloak only; Entra caps at 1). Afterwards it's admin-editable in Settings. |
Assistant (LLM) & MCP
| Key | Default | Purpose |
|---|---|---|
Llm:Enabled | false | Master switch for the built-in assistant. |
Llm:Model | ai/llama3.2 | Default model id. |
Llm:MaxToolCalls / Llm:MaxTokens | 4 / 1024 | Tool-call iterations / completion tokens per turn. |
Mcp:Enabled | false | Expose the per-workspace MCP server. |
Per-provider LLM connections + API keys are configured in the UI, not here.
In-app settings (not environment variables)
A platform admin configures these at runtime in Settings; they're stored in Postgres and encrypted at rest where marked. They are deliberately not env vars so tenants manage them without redeploying.
| Setting | Scope | Secret encrypted? |
|---|---|---|
| Assistant master switch | Platform | — |
| LLM connections (provider, base URL, model, API key) | Platform | ✅ |
| Email delivery (SMTP or Microsoft Graph) | Platform | ✅ |
| MQTT broker connections | Workspace | ✅ password |
| Data store (bring-your-own time-series DB + retention) | Workspace | ✅ connection string |
| Audit configuration | Platform | — |
| User-management level | Platform | — |
| License install | Platform | — |
| API keys & external read-exposure | Workspace | ✅ key (hashed) |