Skip to main content

Environment Variables

Most day-to-day config of Firezone can (and should) be done via the Firezone Web UI.

For Docker-based deployments, deployment-related or infrastructure-related config of Firezone is done through environment variables passed to the Firezone image upon launch.

Read more about configuring Firezone in our configure guide.

Environment Variable Listing

We recommend setting these in your Docker ENV file ($HOME/.firezone/.env by default). Required fields in bold.

NameDescriptionFormatDefault
EXTERNAL_URLThe external URL the web UI will be accessible at. Must be a valid FQDN for ACME SSL issuance to function.String
ADMIN_EMAILPrimary administrator email.String
DEFAULT_ADMIN_PASSWORDDefault password that will be used for creating or resetting the primary administrator account.StringRandomly generated upon install with docker run firezone/firezone bin/gen-env.
DATABASE_PASSWORDPassword used to connect to the DB.StringRandomly generated upon install with docker run firezone/firezone bin/gen-env.
DATABASE_ENCRYPTION_KEYThe base64-encoded symmetric encryption key used to encrypt and decrypt sensitive fields.base64-encoded StringRandomly generated upon install with docker run firezone/firezone bin/gen-env.
GUARDIAN_SECRET_KEYSecret key used for signing JWTs.base64-encoded StringRandomly generated upon install with docker run firezone/firezone bin/gen-env.
COOKIE_ENCRYPTION_SALTEncryption salt for cookies issued by the Phoenix web application.base64-encoded StringRandomly generated upon install with docker run firezone/firezone bin/gen-env.
COOKIE_SIGNING_SALTSigning salt for cookies issued by the Phoenix web application.base64-encoded StringRandomly generated upon install with docker run firezone/firezone bin/gen-env.
LIVE_VIEW_SIGNING_SALTSigning salt for Phoenix LiveView connection tokens.base64-encoded StringRandomly generated upon install with docker run firezone/firezone bin/gen-env.
SECRET_KEY_BASEPrimary secret key base for the Phoenix application.base64-encoded StringRandomly generated upon install with docker run firezone/firezone bin/gen-env.
LOCAL_AUTH_ENABLEDEnable or disable the local authentication method for all users.Booleantrue
SAML_ENTITY_IDSAML Entity ID.Stringurn:firezone.dev:firezone-app
SAML_KEYFILE_PATHPath to the SAML keyfile inside the container.String/var/firezone/saml.key
SAML_CERTFILE_PATHPath to the SAML certificate file inside the container.String/var/firezone/saml.crt
DATABASE_HOSTDatabase host.IP or hostnamepostgres
DATABASE_PORTDatabase port.Integer5432
DATABASE_NAMEName of database.Stringfirezone
DATABASE_USERDatabase user.Stringpostgres
DATABASE_POOLSize of the Firezone connection pool.Integer10
DATABASE_SSLWhether to connect to the database over SSLBooleanfalse
DATABASE_SSL_OPTSMap of options to send to the :ssl_opts option when connecting over SSL. See Ecto.Adapters.Postgres documentationJSON-encoded String{}
DATABASE_PARAMETERSMap of parameters to send to the :parameters option when connecting to the database. See Ecto.Adapters.Postgres documentation.JSON-encoded String{}
CONNECTIVITY_CHECKS_ENABLEDEnable / disable periodic checking for egress connectivity. Determines the instance's public IP to populate Endpoint fields.Booleantrue
CONNECTIVITY_CHECKS_INTERVALPeriodicity in seconds to check for egress connectivity.Integer3600
EXTERNAL_TRUSTED_PROXIESList of trusted reverse proxies.JSON-encoded array[]
MAX_DEVICES_PER_USERMaximum number of devices to allow per user.Integer10
OUTBOUND_EMAIL_FROMFrom address to use for sending outbound emails. If not set, sending email will be disabled (default).String
OUTBOUND_EMAIL_PROVIDERMethod to use for sending outbound email. If not set, will default to sendmail. See the list of Swoosh Adapters.String
OUTBOUND_EMAIL_CONFIGSEmail provider-specific config.JSON-encoded hash of provider config. E.g. {"gmail": {"access_token": "..."}, "smtp": {"relay": "smtp.example.com"}}. See the swoosh docs.{}
PHOENIX_PORTInternal port to listen on for the Phoenix web server.Integer13000
PRIVATE_CLIENTSList of IPs / CIDRs to consider trusted for purposes of correctly parsing the X-Forwarded-For header.JSON-encoded list of IPs / CIDRs.[]
WIREGUARD_IPV4_ADDRESSTunnel-side IPv4 address of Firezone.String10.3.2.1
WIREGUARD_IPV4_ENABLEDEnable / disable tunnel-side IPv4 connectivity.Booleantrue
WIREGUARD_IPV4_MASQUERADEEnable / disable IPv4 masquerade.Stringtrue
WIREGUARD_IPV4_NETWORKTunnel-side IPv4 network to use.String10.3.2.0/24
WIREGUARD_IPV6_ADDRESSTunnel-side IPv6 address of Firezone.Stringfd00::3:2:1
WIREGUARD_IPV6_ENABLEDEnable / disable tunnel IPv6 addresses.Booleantrue
WIREGUARD_IPV6_MASQUERADEEnable / disable IPv6 masquerade.Booleantrue
WIREGUARD_IPV6_NETWORKTunnel-side IPv6 network to use.Stringfd00::3:2:0/120
WIREGUARD_ALLOWED_IPSDefault AllowedIPs used in client configs.Comma-separated list of Strings.0.0.0.0, ::/0
WIREGUARD_DNSDefault DNS used in client configs.Comma-separated list of Strings.
WIREGUARD_ENDPOINTDefault Endpoint used in client configs. Defaults to the server's public IP if not set.String
WIREGUARD_MTUDefault MTU used in client configs.Integer1280
WIREGUARD_PERSISTENT_KEEPALIVEDefault persistent keepalive value used in client configs.Integer0
WIREGUARD_PORTPort to listen on for WireGuard connections.Integer51820
SECURE_COOKIESEnable or disable requiring secure cookies. Required for HTTPS.Booleantrue
TELEMETRY_ENABLEDEnable / disable product telemetry. Read more about what that means here.Booleantrue