Environment variables
ZPA credentials
Required. The backend will not start without these.
| Var | Purpose |
|---|---|
ZPA_CLIENT_ID | OAuth client ID (ZIdentity) |
ZPA_CLIENT_SECRET | OAuth client secret |
ZPA_CUSTOMER_ID | Numeric customer ID |
ZPA_VANITY | Vanity domain (the part before .zslogin.net) |
ZPA_IDP | Default IdP ID for SCIM operand resolution |
example.env in the repo root has the empty shape. Copy to .env, fill in,
source it before running the binary.
Identity / proxy trust
| Var | Default | Purpose |
|---|---|---|
TRUSTED_PROXIES | empty | Comma-separated CIDRs of proxies allowed to set Remote-User, Remote-Email, Remote-Groups, Remote-Name. Anything else gets the headers stripped before any handler sees them. |
In the Docker stack this is set to 172.16.0.0/12,10.0.0.0/8 (covers Docker
bridge networks). On native runs you usually leave it empty - no proxy in
front, no identity headers trusted.
Logging
| Var | Default | Purpose |
|---|---|---|
LOG_DIR | ${XDG_CONFIG_HOME}/painscaler/logs | Where rotated JSONL lands |
LOG_FILE | painscaler.log | Filename inside LOG_DIR |
LOG_LEVEL | info | debug / info / warn / error |
LOG_MAX_SIZE_MB | 50 | Rotate when file exceeds this |
LOG_MAX_BACKUPS | 10 | Keep this many rotated files |
LOG_MAX_AGE_DAYS | 30 | Delete rotated files older than this |
LOG_COMPRESS | true | Gzip rotated files |
Errors are also mirrored to stderr regardless of LOG_LEVEL, so docker logs painscaler-api always surfaces them.
Storage
The simulation history SQLite DB lives at:
${XDG_CONFIG_HOME}/painscaler/runs.dbIn the Docker image, XDG_CONFIG_HOME is set to /data, so the actual path
is /data/painscaler/runs.db on the painscaler_data named volume. Logs land
beside it at /data/logs/painscaler.log.
Frontend (build-time)
Vite reads from frontend/.env:
| Var | Purpose |
|---|---|
VITE_API_BASE | If set, the dev proxy + production fetch base. Default is /api. |
Not env vars, but configuration
- Authelia secrets are generated by
make initindeploy/and live indeploy/secrets/(mode 600, gitignored). Rotate withmake rotate. - Caddy local CA is generated on first start, persisted in the
caddy_datavolume. Extract withmake ca.