Skip to main content

Overview

All ondoki configuration is done via environment variables. Copy .env.example to .env and customize for your deployment.

Core

VariableRequiredDefaultDescription
ENVIRONMENTlocalEnvironment mode: local, staging, production, test
DOMAINProductionlocalhostDomain for Caddy HTTPS (e.g., app.ondoki.com)

Database

VariableRequiredDefaultDescription
POSTGRES_USERYespostgresPostgreSQL username
POSTGRES_PASSWORDYespostgresPostgreSQL password
POSTGRES_DBondokiDatabase name
DATABASE_URL(auto-composed)Full async connection string. Format: postgresql+asyncpg://user:pass@host:5432/db

Security

VariableRequiredDefaultDescription
JWT_SECRETYesJWT signing key. Generate: openssl rand -hex 32
ONDOKI_ENCRYPTION_KEYYesFernet key for encrypting API keys at rest. Generate: make generate-key
Never reuse these keys across environments. If you lose the encryption key, MCP API keys stored in the database cannot be decrypted and must be regenerated.

Redis

VariableRequiredDefaultDescription
REDIS_URLredis://redis:6379/0Redis connection string
REDIS_PASSWORDProductionRedis password (set in production)

Celery (Media Worker)

VariableRequiredDefaultDescription
CELERY_BROKER_URLredis://redis:6379/1Celery broker connection (Redis DB 1)
CELERY_RESULT_BACKENDredis://redis:6379/1Celery result backend

CORS & Frontend

VariableRequiredDefaultDescription
FRONTEND_URLProductionhttp://localhost:5173Frontend URL for CORS, email links, OAuth callbacks
CORS_ORIGINSProductionhttp://localhost:5173,ondoki://Comma-separated allowed origins
CORS_ORIGIN_REGEXRegex pattern for CORS origin matching (e.g., ^https://.*\.ondoki\.com$)
ALLOWED_ORIGINSAdditional allowed origins for CSRF checks (comma-separated)

Services

VariableRequiredDefaultDescription
GOTENBERG_URLhttp://gotenberg:3000Gotenberg PDF generation service URL

SMTP (Email)

VariableRequiredDefaultDescription
SR_SMTP_HOST(empty)SMTP host. Leave empty to disable email
SR_SMTP_PORT587SMTP port
SR_SMTP_USERSMTP username
SR_SMTP_PASSSMTP password
SR_FROM_EMAIL[email protected]Sender email address
Email is used for account verification and password reset. When SR_SMTP_HOST is empty, email features are disabled and users are auto-verified on registration.

Storage

VariableRequiredDefaultDescription
storage_typelocalStorage backend: local or s3
local_storage_path./storage/recordingsPath for local file storage
UPLOAD_DIR./uploadsDirectory for general file uploads

S3 Storage (when storage_type=s3)

VariableRequiredDefaultDescription
S3_BUCKETS3 bucket name
S3_REGIONAWS region
S3_ENDPOINTS3 endpoint URL
S3_ACCESS_KEYAWS access key
S3_SECRET_KEYAWS secret key

AI / LLM

LLM settings can also be configured from the Project Settings → AI/LLM page. UI settings take priority over environment variables.
VariableRequiredDefaultDescription
ONDOKI_LLM_PROVIDERLLM provider: openai, anthropic, ollama, copilot, custom
ONDOKI_LLM_API_KEYAPI key for the chosen provider
ONDOKI_LLM_MODELModel name (e.g., gpt-4o, claude-sonnet-4-20250514)
ONDOKI_LLM_BASE_URLBase URL (required for ollama and custom providers)

PII Protection

SendCloak

VariableRequiredDefaultDescription
SENDCLOAK_ENABLEDfalseEnable PII obfuscation before AI requests
SENDCLOAK_URLhttp://sendcloak:9090SendCloak service URL
SENDCLOAK_STRATEGYsemanticObfuscation strategy

DataVeil

VariableRequiredDefaultDescription
DATAVEIL_ENABLEDfalseEnable DataVeil privacy proxy
DATAVEIL_URLDataVeil service URL

Presidio

VariableRequiredDefaultDescription
PRESIDIO_LANG_PACKenLanguage pack: en (English) or eu (English + German + French + Spanish + Italian)
PRESIDIO_LANGUAGEenDefault analysis language

Video / Media Processing

VariableRequiredDefaultDescription
OPENAI_API_KEYAPI key for Whisper transcription
WHISPER_MODELbaseWhisper model size: base, small, medium, large
ONDOKI_UPLOAD_DIR/data/uploads/videosVideo upload directory (media worker)

Generating Secrets

# JWT secret
openssl rand -hex 32

# Encryption key
python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
# Or use the Makefile:
make generate-key

# Strong password
openssl rand -base64 24