2020-01-01 22:37:59 +01:00
---
2020-01-12 14:11:56 +01:00
title: Configuring your environment
description: Setting environment variables for your Mastodon installation.
2020-01-01 22:37:59 +01:00
menu:
docs:
weight: 30
parent: admin
---
{{< hint style = "warning" > }}
This page is under construction.
{{< / hint > }}
Mastodon uses environment variables as its configuration.
For convenience, it can read them from a flat file called `.env.production` in the Mastodon directory, but they can always be overridden by a specific process. For example, systemd service files can read environment variables from an `EnvironmentFile` or from inline definitions with `Environment` , so you can have different configuration parameters for specific services. They can also be specified when calling Mastodon from the command line.
2020-01-12 14:11:56 +01:00
## Basic {#basic}
2020-01-01 22:37:59 +01:00
2020-01-12 14:11:56 +01:00
### Federation {#federation}
2020-01-01 22:37:59 +01:00
2020-07-25 16:35:41 +02:00
* `LOCAL_DOMAIN` = the domain for which your Mastodon instance has authority. Used to generate `acct:` URIs for Webfinger, which is used to resolve user addresses.
* `WEB_DOMAIN` = the domain used for URLs generated by your Mastodon instance. Includes actor and object URIs for ActivityPub. Do not set this variable unless you know what you are doing.
2020-01-01 22:37:59 +01:00
* `ALTERNATE_DOMAINS`
2020-01-22 20:01:37 +01:00
#### `AUTHORIZED_FETCH` {#authorized_fetch}
When set to `true` , Mastodon will stop inline-signing activities, and will require remote servers to authenticate when fetching public and unlisted toots.
This prevents blocked domains from fetching your public toots, at the cost of possibly increased computations, and broken compatibility with software that does not sign fetch requests (such as Mastodon prior to version 3.0).
Note that this mode cannot guarantee that bad actors do not access your public and unlisted toots, it merely makes it a bit more difficult.
2020-07-25 16:35:41 +02:00
#### `LIMITED_FEDERATION_MODE` {#limited_federation_mode}
When set to `true` , Mastodon will restrict federation to specific servers only, as well as disable public pages and some client APIs. Limited federation mode mode implies authorized fetch mode.
When switching an existing instance to limited federation mode, the following command should be used to remove any already existent data on non-allowed domains:
```
tootctl domain purge --limited-federation-mode
```
2020-01-22 20:01:37 +01:00
#### `WHITELIST_MODE` {#whitelist_mode}
2020-07-25 16:35:41 +02:00
Equivalent to `LIMITED_FEDERATION_MODE` , which it was renamed into after 3.1.4.
Note that, while introduced in Mastodon 3.0, `WHITELIST_MODE` is broken on Mastodon 3.0 and 3.0.1.
2020-01-22 20:01:37 +01:00
2020-01-12 14:11:56 +01:00
### Secrets {#secrets}
2020-01-01 22:37:59 +01:00
* `SECRET_KEY_BASE`
* `OTP_SECRET`
* `VAPID_PRIVATE_KEY`
* `VAPID_PUBLIC_KEY`
2020-01-12 14:11:56 +01:00
### Deployment {#deployment}
2020-01-01 22:37:59 +01:00
* `RAILS_ENV`
* `RAILS_SERVE_STATIC_FILES`
* `RAILS_LOG_LEVEL`
* `TRUSTED_PROXY_IP`
* `SOCKET`
* `PORT`
* `NODE_ENV`
* `BIND`
2020-01-12 14:11:56 +01:00
### Scaling options {#scaling}
2020-01-01 22:37:59 +01:00
* `WEB_CONCURRENCY`
* `MAX_THREADS`
* `PREPARED_STATEMENTS`
* `STREAMING_API_BASE_URL`
* `STREAMING_CLUSTER_NUM`
2020-01-12 14:11:56 +01:00
## Database connections {#connections}
2020-01-01 22:37:59 +01:00
2020-01-12 14:11:56 +01:00
### PostgreSQL {#postgresql}
2020-01-01 22:37:59 +01:00
* `DB_HOST`
* `DB_USER`
* `DB_NAME`
* `DB_PASS`
* `DB_PORT`
* `DATABASE_URL`
2020-01-12 14:11:56 +01:00
### Redis {#redis}
2020-01-01 22:37:59 +01:00
* `REDIS_HOST`
* `REDIS_PORT`
* `REDIS_URL`
* `REDIS_NAMESPACE`
* `CACHE_REDIS_HOST`
* `CACHE_REDIS_PORT`
* `CACHE_REDIS_URL`
* `CACHE_REDIS_NAMESPACE`
2020-01-12 14:11:56 +01:00
### ElasticSearch {#elasticsearch}
2020-01-01 22:37:59 +01:00
* `ES_ENABLED`
* `ES_HOST`
* `ES_PORT`
* `ES_PREFIX`
2020-01-12 14:11:56 +01:00
### StatsD {#statsd}
2020-01-01 22:37:59 +01:00
* `STATSD_ADDR`
* `STATSD_NAMESPACE`
2020-01-12 14:11:56 +01:00
## Limits {#limits}
2020-01-01 22:37:59 +01:00
* `SINGLE_USER_MODE`
2020-07-25 16:35:41 +02:00
* `EMAIL_DOMAIN_ALLOWLIST`
* `EMAIL_DOMAIN_DENYLIST`
2020-01-01 22:37:59 +01:00
* `DEFAULT_LOCALE`
* `MAX_SESSION_ACTIVATIONS`
* `USER_ACTIVE_DAYS`
2020-01-12 14:11:56 +01:00
## E-mail {#email}
2020-01-01 22:37:59 +01:00
* `SMTP_SERVER`
* `SMTP_PORT`
* `SMTP_LOGIN`
* `SMTP_PASSWORD`
* `SMTP_FROM_ADDRESS`
* `SMTP_DOMAIN`
* `SMTP_DELIVERY_METHOD`
* `SMTP_AUTH_METHOD`
* `SMTP_CA_FILE`
* `SMTP_OPENSSL_VERIFY_MODE`
* `SMTP_ENABLE_STARTTLS_AUTO`
* `SMTP_TLS`
2020-07-25 16:35:41 +02:00
* `SMTP_SSL`
2020-01-01 22:37:59 +01:00
2020-01-12 14:11:56 +01:00
## File storage {#cdn}
2020-01-01 22:37:59 +01:00
* `CDN_HOST`
* `S3_ALIAS_HOST`
2020-01-12 14:11:56 +01:00
### Local file storage {#paperclip}
2020-01-01 22:37:59 +01:00
* `PAPERCLIP_ROOT_PATH`
* `PAPERCLIP_ROOT_URL`
2020-01-12 14:11:56 +01:00
### Amazon S3 and compatible {#s3}
2020-01-01 22:37:59 +01:00
* `S3_ENABLED`
* `S3_BUCKET`
* `AWS_ACCESS_KEY_ID`
* `AWS_SECRET_ACCESS_KEY`
* `S3_REGION`
* `S3_PROTOCOL`
* `S3_HOSTNAME`
* `S3_ENDPOINT`
* `S3_SIGNATURE_VERSION`
2020-07-01 02:11:40 +02:00
* `S3_OVERRIDE_PATH_STYLE`
* `S3_OPEN_TIMEOUT`
2020-01-01 22:37:59 +01:00
2020-01-12 14:11:56 +01:00
### Swift {#swift}
2020-01-01 22:37:59 +01:00
* `SWIFT_ENABLED`
* `SWIFT_USERNAME`
* `SWIFT_TENANT`
* `SWIFT_PASSWORD`
* `SWIFT_PROJECT_ID`
* `SWIFT_AUTH_URL`
* `SWIFT_CONTAINER`
* `SWIFT_OBJECT_URL`
* `SWIFT_REGION`
* `SWIFT_DOMAIN_NAME`
* `SWIFT_CACHE_TTL`
2020-01-12 14:11:56 +01:00
## External authentication {#external-authentication}
2020-01-01 22:37:59 +01:00
* `OAUTH_REDIRECT_AT_SIGN_IN`
2020-01-12 14:11:56 +01:00
### LDAP {#ldap}
2020-01-01 22:37:59 +01:00
* `LDAP_ENABLED`
* `LDAP_HOST`
* `LDAP_PORT`
* `LDAP_METHOD`
* `LDAP_BASE`
* `LDAP_BIND_DN`
* `LDAP_PASSWORD`
* `LDAP_UID`
* `LDAP_SEARCH_FILTER`
2020-07-01 02:11:40 +02:00
* `LDAP_MAIL`
* `LDAP_UID_CONVERSTION_ENABLED`
2020-01-01 22:37:59 +01:00
2020-01-12 14:11:56 +01:00
### PAM {#pam}
2020-01-01 22:37:59 +01:00
* `PAM_ENABLED`
* `PAM_EMAIL_DOMAIN`
* `PAM_DEFAULT_SERVICE`
* `PAM_CONTROLLED_SERVICE`
2020-01-12 14:11:56 +01:00
### CAS {#cas}
2020-01-01 22:37:59 +01:00
* `CAS_ENABLED`
* `CAS_URL`
* `CAS_HOST`
* `CAS_PORT`
* `CAS_SSL`
* `CAS_VALIDATE_URL`
* `CAS_CALLBACK_URL`
* `CAS_LOGOUT_URL`
* `CAS_LOGIN_URL`
* `CAS_UID_FIELD`
* `CAS_CA_PATH`
* `CAS_DISABLE_SSL_VERIFICATION`
* `CAS_UID_KEY`
* `CAS_NAME_KEY`
* `CAS_EMAIL_KEY`
* `CAS_NICKNAME_KEY`
* `CAS_FIRST_NAME_KEY`
* `CAS_LAST_NAME_KEY`
* `CAS_LOCATION_KEY`
* `CAS_IMAGE_KEY`
* `CAS_PHONE_KEY`
2020-01-12 14:11:56 +01:00
### SAML {#saml}
2020-01-01 22:37:59 +01:00
* `SAML_ENABLED`
* `SAML_ACS_URL`
* `SAML_ISSUER`
* `SAML_IDP_SSO_TARGET_URL`
* `SAML_IDP_CERT`
* `SAML_IDP_CERT_FINGERPRINT`
* `SAML_NAME_IDENTIFIER_FORMAT`
* `SAML_CERT`
* `SAML_PRIVATE_KEY`
* `SAML_SECURITY_WANT_ASSERTION_SIGNED`
* `SAML_SECURITY_WANT_ASSERTION_ENCRYPTED`
* `SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED`
* `SAML_ATTRIBUTES_STATEMENTS_UID`
* `SAML_ATTRIBUTES_STATEMENTS_EMAIL`
* `SAML_ATTRIBUTES_STATEMENTS_FULL_NAME`
* `SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME`
* `SAML_ATTRIBUTES_STATEMENTS_LAST_NAME`
* `SAML_UID_ATTRIBUTE`
* `SAML_ATTRIBUTES_STATEMENTS_VERIFIED`
* `SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL`
2020-01-12 14:11:56 +01:00
## Hidden services {#hidden-services}
2020-01-01 22:37:59 +01:00
* `http_proxy`
* `ALLOW_ACCESS_TO_HIDDEN_SERVICE`
2020-01-12 14:11:56 +01:00
## Other {#other}
2020-01-01 22:37:59 +01:00
* `SKIP_POST_DEPLOYMENT_MIGRATIONS`
