Skip to content

Configuration

Jump to bottom
gladsonsam edited this page Apr 13, 2026 · 5 revisions

Configuration

Getting started: copy .env.example to .env, edit the required variables, then docker compose up -d (see Deployment). This page is the full reference for every variable the server understands. For a long copy-paste template (advanced / non-Compose), see Environment template.

Most values can be read from the environment or from *_FILE paths (Docker secrets style), for example UI_PASSWORD_FILE, AGENT_SECRET_FILE, DATABASE_URL_FILE.

Exception: OIDC settings are read from the plain OIDC_* environment variables (not OIDC_*_FILE).

Server (core)

Variable Default Description
DATABASE_URL postgres://monitor:monitor@localhost:5432/monitor PostgreSQL URL. In Compose, the compose file sets this to the db service.
LISTEN_ADDR 0.0.0.0:9000 Bind address for HTTP and WebSocket.
STATIC_DIR ./static Built dashboard files (/app/static in Docker).
UI_PASSWORD (unset) Bootstrap admin password for the first dashboard user when the DB has zero users (backward compatible fallback for ADMIN_PASSWORD). After bootstrap, passwords are stored in Postgres and changes to UI_PASSWORD do not affect existing users.
ADMIN_USERNAME admin Username for the default bootstrap admin (only used on first run when there are zero dashboard users).
ADMIN_PASSWORD (unset) Password for the default bootstrap admin (bootstrap only). If unset, UI_PASSWORD is used as a backward-compatible fallback.
AGENT_SECRET (unset) If set, agents must send this value as the secret query parameter. If unset and ALLOW_INSECURE_AGENT_AUTH is not true, agents are denied.
RUST_LOG info Tracing log filter.
ENFORCE_HTTPS true When true, non-health requests need X-Forwarded-Proto: https or wss. Set false for plain HTTP without a proxy.
CORS_ORIGINS (empty) Comma-separated browser origins. Empty means permissive CORS.
COOKIE_SECURE (see server) Session cookies use Secure when this is true or X-Forwarded-Proto is https. For plain HTTP, avoid forcing COOKIE_SECURE=true.

Server (optional behaviour)

Variable Default Description
ALLOW_INSECURE_DASHBOARD_OPEN false If true, allows running without bootstrap admin password vars (ADMIN_PASSWORD / UI_PASSWORD) (insecure).
ALLOW_INSECURE_AGENT_AUTH false If true, allows agents without AGENT_SECRET (insecure).
WOL_MIN_INTERVAL_SECS 15 Minimum seconds between Wake-on-LAN per agent (0 = no throttle).
ALLOW_REMOTE_SCRIPT_EXECUTION false If true, enables remote script endpoints (remote code).
DASHBOARD_OPERATOR_NAME operator Audit log label for UI actions.
EXPOSE_INTERNAL_ERRORS false If true, JSON 500 responses may include internal error text.
LOG_FORCE_COLOR 1 or true for ANSI logs when stderr is not a TTY (e.g. Docker).
NO_COLOR If set, disables ANSI in logs.

External notifications (Home Assistant)

To send alert rule matches into Home Assistant as a custom event:

Variable Default Description
HOME_ASSISTANT_URL (unset) Home Assistant base URL, e.g. https://homeassistant.local:8123
HOME_ASSISTANT_ACCESS_TOKEN (unset) Long-lived access token (Home Assistant Profile → Security)
HOME_ASSISTANT_EVENT_TYPE sentinel_alert Event type posted to POST /api/events/<event_type> (must be [a-z0-9_]+)
HOME_ASSISTANT_SKIP_TLS_VERIFY false If true, disables TLS certificate verification for HA requests (insecure)
PUBLIC_BASE_URL (unset) When set, used for mDNS / agent discovery (HTTPS or HTTP base URL), Home Assistant deep links, and related hints. Use a LAN-reachable host for mDNS (not localhost).
SENTINEL_MDNS_WSS_URL (unset) Optional explicit wss://…/ws/agent for mDNS TXT when you do not want derivation from PUBLIC_BASE_URL.
SENTINEL_MDNS_PORT listen port Advertised SRV port for _sentinel._tcp (e.g. 443 when TLS terminates on 443).
SENTINEL_MDNS_ADDRESSES (auto) Comma-separated IPs for mDNS A/AAAA if auto-detection picks the wrong interface.
SENTINEL_MDNS / SENTINEL_MDNS_DISABLE on Set SENTINEL_MDNS=0 or SENTINEL_MDNS_DISABLE=1 to disable mDNS advertisement.

Docker Compose (docker-compose.yml)

The committed compose file uses host networking on Linux for server and does not map 9000 via ports:. Optional Traefik labels and variables (TRAEFIK_HOST, TRAEFIK_ENTRYPOINT, etc.) are not in the repo file; add them locally if you use Traefik (see Deployment → Traefik + mDNS).

OpenID Connect (OIDC) / SSO

Sentinel supports dashboard login via OIDC (Authorization Code flow).

The required environment variables are documented on the OIDC page, including:

  • OIDC_ISSUER_URL, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_REDIRECT_URL
  • optional OIDC_SCOPES, OIDC_ADMIN_GROUP, OIDC_OPERATOR_GROUP

Sentinel repository · Issues

Home

Install and configure

Day to day

Integrations

Developers and security

Clone this wiki locally