arizuko › reference › environment variables
Every env var read by an arizuko Go or TypeScript daemon, with the file:line that reads it, type, default, and one-line effect. Generated from a grep of os.Getenv, chanlib.EnvOr/EnvInt/EnvBool/EnvBytes/EnvDur/MustEnv, and process.env[] across the repo. Test-only env vars omitted.
chanlib.EnvOr(k, d) returns d when the env var is empty or unset. chanlib.MustEnv(k) calls os.Exit(1) if unset. chanlib.EnvDur(k, d) reads integer milliseconds (legacy encoding) — not Go duration strings. Adapter LISTEN_ADDR code-defaults vary per daemon, but every service TOML in template/services/ pins :8080; the multi-daemon local-dev numbers (9001–9010) appear here only because that's what the source defaults to.core.LoadConfigThese are read in core/config.go through chanlib.EnvOr / EnvInt / EnvDur and the resolveTimezone() helper. Every daemon that calls core.LoadConfig() (gated, onbod, webd, …) inherits this surface.
Listening port for gated's HTTP API.
| Read by | core / core/config.go:135 → gated |
|---|---|
| Type | int |
| Default | 8080 |
| Example | 8080 |
Dev mode — allows empty CHANNEL_SECRET and bind-mounts ant/src into spawned agent containers for live-reload of the in-container runner.
| Read by | core / core/config.go:168, container / container/runner.go:498 |
|---|---|
| Type | bool ("true" or "1") |
| Default | unset = production mode |
| Example | 1 |
Bot display name and mention trigger; also baked into the data-dir basename and compose container_name. Must contain no whitespace or shell metachars.
| Read by | core / core/config.go:102, webd / webd/main.go:42, teled / teled/main.go:63, discd / discd/main.go:70, whapd / whapd/src/main.ts:41 |
|---|---|
| Type | string |
| Default | Andy (core); assistant in webd; empty in teled/discd |
| Example | Andy |
Public base URL used to build OAuth redirect callbacks and onboarding invite links. HTTPS prefix toggles secure-cookie flag.
| Read by | core / core/config.go:115 |
|---|---|
| Type | URL |
| Default | "" |
| Example | https://krons.arizuko.com |
HMAC key for OAuth JWT mint/verify.
| Read by | core / core/config.go:113 |
|---|---|
| Type | string (hex/random) |
| Default | "" |
| Example | a3f1...c0de |
Bearer secret authenticating adapter ↔ gated traffic. Required in production; empty allowed only with ARIZUKO_DEV. Individual adapters can override per platform with <DAEMON>_CHANNEL_SECRET (e.g. SLAKD_CHANNEL_SECRET). gated binds whatever bearer the adapter registers with to that channel record, so a leaked per-platform secret does not compromise the others. See specs/6/H.
| Read by | core / core/config.go:136, webd / webd/main.go:39, teled / teled/main.go:60, discd / discd/main.go:67, mastd / mastd/main.go:56, bskyd / bskyd/main.go:57, reditd / reditd/main.go:72, emaid / emaid/main.go:63, linkd / linkd/main.go:65, slakd / slakd/main.go:60, whapd / whapd/src/main.ts:155, twitd / twitd/src/main.ts:42 |
|---|---|
| Type | string |
| Default | "" (refuses to start unless ARIZUKO_DEV set) |
| Example | e8c2...4b9a |
Docker image used to spawn per-group agent containers.
| Read by | core / core/config.go:107 |
|---|---|
| Type | string |
| Default | arizuko-ant:latest |
| Example | arizuko-ant:v0.35.0 |
Hard kill timeout per agent run, in milliseconds.
| Read by | core / core/config.go:108 |
|---|---|
| Type | int (milliseconds, via EnvDur) |
| Default | 3600000 (60 min) |
| Example | 1800000 |
Crackbox admin HTTP base URL. Non-empty enables egress isolation; gated requires EGRESS_NETWORK_PREFIX + EGRESS_CRACKBOX when set.
| Read by | core / core/config.go:158, compose / compose/compose.go:258 |
|---|---|
| Type | URL |
| Default | "" (egress isolation off) |
| Example | http://crackbox:3129 |
Bearer token for crackbox admin API mutations. Sent by gated as the egress controller; consumed by crackbox.
| Read by | core / core/config.go:161, crackbox host / crackbox/pkg/host/host.go:105 |
|---|---|
| Type | string |
| Default | "" |
| Example | 7f...22 |
Value injected as HTTPS_PROXY / HTTP_PROXY into every agent container.
| Read by | core / core/config.go:159 |
|---|---|
| Type | URL |
| Default | http://crackbox:3128 |
| Example | http://crackbox:3128 |
Root of this instance's data directory (store/, groups/, ipc/, web/). When set in compose, also passes through to dashd, timed, and several adapters as their working/storage root.
| Read by | core / core/config.go:99, dashd / dashd/main.go:67, timed / timed/main.go:26, teled / teled/main.go:54, bskyd / bskyd/main.go:60, reditd / reditd/main.go:75, emaid / emaid/main.go:66, linkd / linkd/main.go:68, whapd / whapd/src/main.ts:42, twitd / twitd/src/main.ts:28 |
|---|---|
| Type | path |
| Default | cwd (core); /srv/data/<daemon> per adapter |
| Example | /srv/data/arizuko_krons |
OAuth client id for the Discord login provider in proxyd's auth flow (distinct from the bot token used by discd).
| Read by | core / core/config.go:118 |
|---|---|
| Type | string |
| Default | "" |
| Example | 1234567890 |
OAuth client secret for the Discord login provider.
| Read by | core / core/config.go:119 |
|---|---|
| Type | string |
| Default | "" |
| Example | abc...def |
Container name of the crackbox proxy; gated attaches it to every per-folder docker network.
| Read by | core / core/config.go:157, compose generation / compose/compose.go:266 |
|---|---|
| Type | string |
| Default | "" (compose generation derives <app>_crackbox_<flavor>) |
| Example | arizuko_crackbox_krons |
Docker network name prefix; per-folder networks created as <prefix>_<folder>.
| Read by | core / core/config.go:156, compose generation / compose/compose.go:259 |
|---|---|
| Type | string |
| Default | "" (compose generation derives arizuko_<flavor>) |
| Example | arizuko_krons |
Parent CIDR carved into per-folder /24s for egress networks.
| Read by | core / core/config.go:160 |
|---|---|
| Type | CIDR string |
| Default | 10.99.0.0/16 |
| Example | 10.42.0.0/16 |
If set, restricts GitHub OAuth sign-in to members of this org.
| Read by | core / core/config.go:123 |
|---|---|
| Type | string |
| Default | "" |
| Example | kronael |
OAuth client id for the GitHub login provider.
| Read by | core / core/config.go:116 |
|---|---|
| Type | string |
| Default | "" |
| Example | Iv1.abc123 |
OAuth client secret for the GitHub login provider.
| Read by | core / core/config.go:117 |
|---|---|
| Type | string |
| Default | "" |
| Example | ghs_xxxxx |
CSV allowlist of email addresses permitted to complete Google OAuth.
| Read by | core / core/config.go:122 |
|---|---|
| Type | CSV string |
| Default | "" |
| Example | alice@example.com,bob@example.com |
OAuth client id for the Google login provider.
| Read by | core / core/config.go:120 |
|---|---|
| Type | string |
| Default | "" |
| Example | abc.apps.googleusercontent.com |
OAuth client secret for the Google login provider.
| Read by | core / core/config.go:121 |
|---|---|
| Type | string |
| Default | "" |
| Example | GOCSPX-xxx |
Path on the host that contains the arizuko binaries and ant/src; used when bind-mounting the dev runner.
| Read by | core / core/config.go:101, compose / compose/compose.go:461 |
|---|---|
| Type | path |
| Default | directory of the running executable |
| Example | /home/onvos/app/arizuko |
Host path bind-mounted into agent containers at /home/node/.codex so the oracle skill can reuse the operator's codex login state.
| Read by | core / core/config.go:133 |
|---|---|
| Type | path |
| Default | "" (mount disabled; falls back to CODEX_API_KEY/OPENAI_API_KEY folder secrets) |
| Example | /home/onvos/.codex |
Host-side path used when constructing volume mounts for spawned containers. Differs from DATA_DIR only when arizuko runs inside a container itself.
| Read by | core / core/config.go:100 |
|---|---|
| Type | path |
| Default | DATA_DIR |
| Example | /srv/data/arizuko_krons |
How long an idle agent container is kept around before recycling, in milliseconds.
| Read by | core / core/config.go:109 |
|---|---|
| Type | int (milliseconds) |
| Default | 3600000 (60 min) |
| Example | 600000 |
Max agent containers running at once before gated queues spawns.
| Read by | core / core/config.go:110 |
|---|---|
| Type | int |
| Default | 5 |
| Example | 10 |
Enables inbound media download and forwarding to the agent. Adapters fall back to URL-only references when off.
| Read by | core / core/config.go:143 |
|---|---|
| Type | bool ("true") |
| Default | false |
| Example | true |
Per-attachment byte cap on inbound media; adapter ProxyFile streams up to this size before truncation.
| Read by | core / core/config.go:144, teled / teled/main.go:65, discd / discd/main.go:71, mastd / mastd/main.go:59, bskyd / bskyd/main.go:61, reditd / reditd/main.go:76, emaid / emaid/main.go:67, slakd / slakd/main.go:63 |
|---|---|
| Type | int (bytes) |
| Default | 20971520 (20 MiB) |
| Example | 52428800 |
Master switch for the onboarding flow. Affects both gateway behaviour and whether compose generates the onbod service.
| Read by | core / core/config.go:137, onbod / onbod/main.go:55 ("0" → exit 0), compose / compose/compose.go:326 |
|---|---|
| Type | bool (core: "true"; onbod: "0" disables) |
| Default | false |
| Example | true |
CSV of platforms (e.g. telegram,discord) for which onboarding admissions are enabled.
| Read by | core / core/config.go:138 |
|---|---|
| Type | CSV string |
| Default | "" |
| Example | telegram,whatsapp |
How many trailing #observe-mode messages the gateway folds into context when a trigger turn fires. Per-route override via routes.observe_window_messages.
| Read by | core / core/config.go:151, gateway / gateway/gateway.go:1814 |
|---|---|
| Type | int |
| Default | 10 |
| Example | 25 |
Character cap on the #observe context window for a single trigger turn. Per-route override via routes.observe_window_chars.
| Read by | core / core/config.go:152, gateway / gateway/gateway.go:1815 |
|---|---|
| Type | int (chars) |
| Default | 4000 |
| Example | 8000 |
How long a (chat, topic) stays “engaged” after the bot’s last reply. Engaged pairs fire a turn on every inbound message without needing a fresh @mention, and override #observe routing. TTL is sliding — reset on each user or bot message while engaged. See engagement.
| Read by | core / core/config.go:182 → gated |
|---|---|
| Type | duration (e.g. 10m, 30m) |
| Default | 10m |
| Example | 30m |
CSV of channel names where outbound sends are dropped (read-only mode).
| Read by | core / core/config.go:140 |
|---|---|
| Type | CSV string |
| Default | "" |
| Example | mastodon,bluesky |
CSV of group folders where outbound sends are dropped (read-only mode).
| Read by | core / core/config.go:141 |
|---|---|
| Type | CSV string |
| Default | "" |
| Example | solo/inbox,corp/eng |
Bot token for the Telegram channel adapter.
| Read by | core / core/config.go:106, teled / teled/main.go:58 (MustEnv) |
|---|---|
| Type | string |
| Default | "" (teled refuses to start) |
| Example | 12345:ABC-DEF1234ghIkl-zyx57W2v1u123ew11 |
OpenAI-compatible /v1/audio/speech base URL the agent's send_voice path hits.
| Read by | core / core/config.go:151 |
|---|---|
| Type | URL |
| Default | http://ttsd:8880 |
| Example | http://ttsd:8880 |
Enables TTS rendering of agent replies as voice messages.
| Read by | core / core/config.go:150 |
|---|---|
| Type | bool ("true") |
| Default | false |
| Example | true |
Default model name passed in the TTS request body.
| Read by | core / core/config.go:153 |
|---|---|
| Type | string |
| Default | kokoro |
| Example | kokoro |
Per-request timeout when calling the TTS backend, in milliseconds.
| Read by | core / core/config.go:154 |
|---|---|
| Type | int (milliseconds) |
| Default | 15000 (15 s) |
| Example | 30000 |
Instance-default voice id; agent may override per-call via send_voice args or per-group via PERSONA.md frontmatter.
| Read by | core / core/config.go:152 |
|---|---|
| Type | string |
| Default | af_bella |
| Example | af_sky |
IANA timezone for log timestamps, cron evaluation in timed, and Config.Timezone consumers.
| Read by | core / core/config.go:192, timed / timed/main.go:36, compose / compose/compose.go:490 |
|---|---|
| Type | string (IANA name) |
| Default | UTC |
| Example | Europe/Bratislava |
Enables Whisper transcription of inbound video.
| Read by | core / core/config.go:147 |
|---|---|
| Type | bool ("true") |
| Default | false |
| Example | true |
Enables Whisper transcription of inbound voice messages.
| Read by | core / core/config.go:146 |
|---|---|
| Type | bool ("true") |
| Default | false |
| Example | true |
Public hostname the instance serves; used to build chat-link, webhook, and onboarding URLs in agent prompts.
| Read by | core / core/config.go:114 |
|---|---|
| Type | string |
| Default | "" |
| Example | krons.arizuko.com |
Base URL of the Whisper-compatible transcription endpoint.
| Read by | core / core/config.go:145 |
|---|---|
| Type | URL |
| Default | http://localhost:8080 |
| Example | http://whisper:9000 |
Model name passed to Whisper.
| Read by | core / core/config.go:148 |
|---|---|
| Type | string |
| Default | turbo |
| Example | large-v3 |
Forwarded into every spawned agent container as part of the base secrets bundle so Claude Code can authenticate.
| Read by | container / container/runner.go:617 |
|---|---|
| Type | string |
| Default | not forwarded if unset |
| Example | sk-ant-... |
Alternative auth for Claude Code; forwarded into the container alongside ANTHROPIC_API_KEY.
| Read by | container / container/runner.go:617 |
|---|---|
| Type | string |
| Default | not forwarded if unset |
| Example | cc-oauth-... |
Controls verbose container-run logging in gated (debug/trace dump full stderr + mounts after every spawn) and the ttsd log level.
| Read by | container / container/runner.go:891, ttsd / ttsd/main.go:33 |
|---|---|
| Type | string (debug/info/warn/error/trace) |
| Default | not set (concise logging; info in ttsd) |
| Example | debug |
Dev override that lets channel adapters register with public IPs. By default chanreg rejects non-private adapter URLs as SSRF risk.
| Read by | chanreg / chanreg/chanreg.go:222 |
|---|---|
| Type | bool ("1") |
| Default | unset = enforce private-only |
| Example | 1 |
cmd/arizuko)Override the base directory used to construct instance data paths. When set, instance dir is $ARIZUKO_DATA_DIR/arizuko_<name>.
| Read by | cli / cmd/arizuko/main.go:151 |
|---|---|
| Type | path |
| Default | "" (falls back to PREFIX) |
| Example | /var/lib/arizuko |
Filesystem prefix for instance data dirs; final path is $PREFIX/data/arizuko_<name>.
| Read by | cli / cmd/arizuko/main.go:154 |
|---|---|
| Type | path |
| Default | /srv |
| Example | /srv |
Read by compose/compose.go at arizuko run time when it generates the docker-compose YAML. These are not consumed by any running daemon — only by the generator that decides which services to emit, which ports to expose, and which proxyd routes to gate.
Host port to expose for davd. Empty ⇒ davd not exposed at the docker level.
| Read by | compose / compose/compose.go:564 |
|---|---|
| Type | string (port) |
| Default | "" |
| Example | 8096 |
Compose profile selector. minimal drops the dashd routes and other non-essential services; full includes everything.
| Read by | compose / compose/compose.go:306 |
|---|---|
| Type | string (minimal / full) |
| Default | full |
| Example | minimal |
Host port the proxyd service is published on; the public entry point for the instance.
| Read by | compose / compose/compose.go:530 |
|---|---|
| Type | string (port) |
| Default | 8095 |
| Example | 443 |
CSV of additional host ports also published for proxyd (e.g. expose 80 alongside 443).
| Read by | compose / compose/compose.go:536 |
|---|---|
| Type | CSV string |
| Default | "" |
| Example | 80,8080 |
Whether to emit the davd service and gate its /dav/ proxyd route.
| Read by | compose / compose/compose.go:323 (and as a route gate at :186) |
|---|---|
| Type | bool ("true") |
| Default | true |
| Example | false |
gated has no direct env reads — every value comes from core.LoadConfig above. The gated-specific gate is the validation block at gated/main.go:33: if CRACKBOX_ADMIN_API is set, both EGRESS_NETWORK_PREFIX and EGRESS_CRACKBOX must also be set or the daemon exits.
Shared HMAC key for signing identity headers (X-User-Sub, …) that backends verify via auth/middleware.go. If unset, proxyd generates an ephemeral value at boot and webd will reject every signed request — effectively breaking auth.
| Read by | proxyd / proxyd/main.go:46, webd / webd/server.go:99, onbod / onbod/main.go:78 |
|---|---|
| Type | string (hex/random, ≥32 bytes recommended) |
| Default | random per-process (production-broken if not set on all sides) |
| Example | b1...e9 |
Port proxyd binds to. Plain numbers get a : prefix.
| Read by | proxyd / proxyd/main.go:42 |
|---|---|
| Type | string (port or :port) |
| Default | 8080 |
| Example | 8080 |
Aggregated route table generated at compose time from every adapter's TOML [[proxyd_route]] entries.
| Read by | proxyd / proxyd/main.go:59 |
|---|---|
| Type | JSON string |
| Default | "" (falls back to legacy built-in routes) |
| Example | [{"prefix":"/dash/","backend":"http://dashd:8080","auth":"user"},…] |
If set, proxyd redirects /pub/* requests to this base URL instead of serving them locally — lets a CDN front the static docs.
| Read by | proxyd / proxyd/main.go:57 |
|---|---|
| Type | URL |
| Default | "" (proxyd serves /pub/ itself) |
| Example | https://docs.arizuko.com |
CSV of CIDRs (or bare IPs) trusted to set X-Forwarded-For. Empty ⇒ no client trusted, XFF always replaced with the connection peer.
| Read by | proxyd / proxyd/main.go:60 |
|---|---|
| Type | CSV string (CIDRs / IPs) |
| Default | "" |
| Example | 10.0.0.0/8,172.16.0.0/12 |
Backend address proxyd forwards /pub/* (and chat widget) traffic to.
| Read by | proxyd / proxyd/main.go:56 |
|---|---|
| Type | URL |
| Default | http://vited:8080 |
| Example | http://vited:8080 |
Base URL of gated; webd posts inbound web chat and webhook messages to $ROUTER_URL/v1/messages.
| Read by | webd / webd/main.go:38 — see also ROUTER_URL in adapters |
|---|---|
| Type | URL |
| Default | http://gated:8080 |
| Example | http://gated:8080 |
Address webd binds to.
| Read by | webd / webd/main.go:36 |
|---|---|
| Type | listen addr (:port or host:port) |
| Default | :8080 |
| Example | :8080 |
Public URL webd advertises to gated when registering as a channel.
| Read by | webd / webd/main.go:37 |
|---|---|
| Type | URL |
| Default | http://webd:8080 |
| Example | http://webd:8080 |
Cadence at which onbod scans for unprompted users / admission queue entries.
| Read by | onbod / onbod/main.go:147 |
|---|---|
| Type | Go duration string (time.ParseDuration) |
| Default | 10s |
| Example | 30s |
Custom greeting string injected into onboarding prompts in place of the default copy.
| Read by | onbod / onbod/main.go:142 |
|---|---|
| Type | string |
| Default | "" |
| Example | Welcome to krons. |
Address onbod binds to.
| Read by | onbod / onbod/main.go:144 |
|---|---|
| Type | listen addr |
| Default | :8080 |
| Example | :8080 |
onbod additionally reads ONBOARDING_ENABLED ("0" → clean exit), PROXYD_HMAC_SECRET (for StripUnsigned middleware), and ROUTER_URL via core.
Port dashd binds to. Plain numbers get a : prefix.
| Read by | dashd / dashd/main.go:79, compose / compose/compose.go:523 |
|---|---|
| Type | string |
| Default | :8080 |
| Example | :8080 |
SQLite DSN dashd opens read-only (with a separate RW handle for /dash/me/secrets writes). Falls back to $DATA_DIR/store/messages.db.
| Read by | dashd / dashd/main.go:70 |
|---|---|
| Type | path |
| Default | $DATA_DIR/store/messages.db (refuses to start if both unset) |
| Example | /srv/data/arizuko_krons/store/messages.db |
SQLite DSN timed opens to poll scheduled_tasks. Falls back to $DATA_DIR/store/messages.db.
| Read by | timed / timed/main.go:28 |
|---|---|
| Type | path |
| Default | $DATA_DIR/store/messages.db (refuses to start if both unset) |
| Example | /srv/data/arizuko_krons/store/messages.db |
timed also reads DATA_DIR and TZ (for cron evaluation).
Address ttsd binds to.
| Read by | ttsd / ttsd/main.go:31 |
|---|---|
| Type | listen addr |
| Default | :8880 |
| Example | :8880 |
Upstream Kokoro/OpenAI-compatible TTS server ttsd proxies to.
| Read by | ttsd / ttsd/main.go:32 |
|---|---|
| Type | URL |
| Default | http://kokoro:8880 |
| Example | http://kokoro:8880 |
ttsd also reads LOG_LEVEL.
Every channel adapter shares the same set of plumbing env vars:
Name the adapter registers with gated; routing uses this verbatim. Has a per-daemon default.
| Read by | teled :55, discd :64, mastd :52, bskyd :52, reditd :64, emaid :55, linkd :59, slakd :56 |
|---|---|
| Type | string |
| Default | matches the platform (telegram, discord, mastodon, …) |
| Example | telegram-prod |
Address the adapter binds for its outbound-send HTTP server (gated → adapter).
| Read by | teled :61 (:9001), discd :68 (:9002), whapd :156 (:9002), mastd :57 (:9004), emaid :64 (:9003), bskyd :58 (:9005), reditd :73 (:9006), linkd :66 (:9010), slakd :61 (:8080), twitd :43 (:8080) |
|---|---|
| Type | listen addr |
| Default | varies (see column above; :8080 when pinned by service TOML) |
| Example | :8080 |
URL the adapter advertises to gated on registration so gated can reach it.
| Read by | teled :62, discd :69, whapd :157, mastd :58, emaid :65, bskyd :59, reditd :74, linkd :67, slakd :62, twitd :44 |
|---|---|
| Type | URL |
| Default | http://<daemon>:<port> |
| Example | http://teled:9001 |
Base URL of gated where the adapter posts inbound messages.
| Read by | teled :59 (MustEnv), discd :66 (MustEnv), whapd :154, mastd :55 (MustEnv), emaid :62 (MustEnv), bskyd :56 (MustEnv), reditd :71 (MustEnv), linkd :64 (MustEnv), slakd :59 (MustEnv), twitd :41, webd :38, onbod :143 |
|---|---|
| Type | URL |
| Default | required in most adapters (MustEnv); webd/onbod default to http://gated:8080 |
| Example | http://gated:8080 |
All adapters additionally read CHANNEL_SECRET and most read MEDIA_MAX_FILE_BYTES.
Reads TELEGRAM_BOT_TOKEN (MustEnv), ASSISTANT_NAME, DATA_DIR, plus the adapter common surface. No teled-specific env vars beyond these.
Bot token. Required unless DISCORD_USER_TOKEN is set instead.
| Read by | discd / discd/main.go:52 |
|---|---|
| Type | string |
| Default | "" (refuses to start if both bot/user tokens empty) |
| Example | MTAxNTM4... |
User-account token; selects user-mode operation, bypassing bot intents. Mutually exclusive with the bot token.
| Read by | discd / discd/main.go:53 |
|---|---|
| Type | string |
| Default | "" |
| Example | mfa.xxxxx |
Directory where Baileys multi-file auth state (creds, keys) is persisted.
| Read by | whapd / whapd/src/main.ts:44 |
|---|---|
| Type | path |
| Default | $DATA_DIR/store/whatsapp-auth or /srv/data/store/whatsapp-auth |
| Example | /srv/data/arizuko_krons/store/whatsapp-auth |
whapd also reads ASSISTANT_NAME, DATA_DIR, ROUTER_URL, CHANNEL_SECRET, LISTEN_ADDR, LISTEN_URL.
App access token for the configured Mastodon instance.
| Read by | mastd / mastd/main.go:54 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | abcDEF... |
LRU size of cached attachment IDs (prevents reprocessing).
| Read by | mastd / mastd/main.go:65 |
|---|---|
| Type | int |
| Default | 1000 |
| Example | 5000 |
Base URL of the Mastodon instance the adapter streams from.
| Read by | mastd / mastd/main.go:53 (MustEnv) |
|---|---|
| Type | URL |
| Default | required |
| Example | https://mastodon.social |
AT Protocol handle or DID the adapter logs in as.
| Read by | bskyd / bskyd/main.go:53 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | arizuko.bsky.social |
App password for the Bluesky account.
| Read by | bskyd / bskyd/main.go:54 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | xxxx-xxxx-xxxx-xxxx |
PDS endpoint to authenticate against.
| Read by | bskyd / bskyd/main.go:55 |
|---|---|
| Type | URL |
| Default | https://bsky.social |
| Example | https://bsky.social |
OAuth client id of the registered Reddit app.
| Read by | reditd / reditd/main.go:65 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | abc123 |
OAuth client secret of the registered Reddit app.
| Read by | reditd / reditd/main.go:66 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | xyz789 |
Password for the bot account (script OAuth flow).
| Read by | reditd / reditd/main.go:68 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | hunter2 |
How often reditd polls subreddits for new posts/comments.
| Read by | reditd / reditd/main.go:77 |
|---|---|
| Type | Go duration string |
| Default | 5m |
| Example | 2m |
CSV of subreddit names to monitor.
| Read by | reditd / reditd/main.go:58 |
|---|---|
| Type | CSV string |
| Default | "" |
| Example | selfhosted,homelab |
User-Agent string used in Reddit API calls (Reddit policy requires a descriptive UA).
| Read by | reditd / reditd/main.go:70 |
|---|---|
| Type | string |
| Default | arizuko/1.0 |
| Example | arizuko-krons/1.0 by u/op |
Username of the bot account.
| Read by | reditd / reditd/main.go:67 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | arizuko_bot |
Email address / IMAP+SMTP login username.
| Read by | emaid / emaid/main.go:58 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | bot@example.com |
IMAP server hostname.
| Read by | emaid / emaid/main.go:56 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | imap.gmail.com |
IMAP server port.
| Read by | emaid / emaid/main.go:60 |
|---|---|
| Type | string (port) |
| Default | 993 |
| Example | 993 |
Login password / app password for IMAP+SMTP.
| Read by | emaid / emaid/main.go:59 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | xxxx xxxx xxxx xxxx |
SMTP server hostname.
| Read by | emaid / emaid/main.go:57 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | smtp.gmail.com |
SMTP server port.
| Read by | emaid / emaid/main.go:61 |
|---|---|
| Type | string (port) |
| Default | 587 |
| Example | 587 |
Reject inbound mail outright when SPF/DKIM/DMARC fails (fail-closed). When unset (default), failed-auth messages still reach the agent but flagged untrusted in the envelope. Spec 8/17.
| Read by | emaid / emaid/auth.go:64 |
|---|---|
| Type | bool (truthy strings: 1, true, yes, on) |
| Default | false |
| Example | true |
Hostname of the upstream MTA whose Authentication-Results header emaid will trust (e.g. mx.google.com for Gmail). When unset, every inbound is classified untrusted (fail-closed default per spec 8/17). Added v0.40.5.
| Read by | emaid / emaid/auth.go:63 |
|---|---|
| Type | string (hostname, lowercased) |
| Default | unset |
| Example | mx.google.com |
Comma-separated allowlist of sender domains that count as trusted (matched against the From-address domain after DMARC alignment). Empty entries ignored. Both this and EMAIL_TRUSTED_AUTHSERV must agree for a message to be trusted. Added v0.40.5.
| Read by | emaid / emaid/auth.go:68 |
|---|---|
| Type | comma-separated list |
| Default | unset (no domain allowlist) |
| Example | example.com, partner.org |
TOTP shared secret used to mint 2FA codes during automated login.
| Read by | twitd / twitd/src/main.ts:38 |
|---|---|
| Type | string (base32 TOTP secret) |
| Default | unset (login may fail when 2FA prompted) |
| Example | JBSWY3DPEHPK3PXP |
Persistent dir for cookies + cursor state across restarts.
| Read by | twitd / twitd/src/main.ts:30 |
|---|---|
| Type | path |
| Default | $DATA_DIR/store/twitter-auth or /srv/data/store/twitter-auth |
| Example | /srv/data/arizuko_krons/store/twitter-auth |
Email associated with the X account; sometimes required as a fallback identifier during login.
| Read by | twitd / twitd/src/main.ts:37 |
|---|---|
| Type | string |
| Default | unset |
| Example | bot@example.com |
Password for the X account.
| Read by | twitd / twitd/src/main.ts:36 |
|---|---|
| Type | string |
| Default | unset |
| Example | hunter2 |
Mentions/DM poll cadence. Accepts plain seconds (90), Ns, or Nm.
| Read by | twitd / twitd/src/main.ts:45 |
|---|---|
| Type | seconds (int or Ns/Nm) |
| Default | 90 |
| Example | 5m |
Username/handle for the X account.
| Read by | twitd / twitd/src/main.ts:35 |
|---|---|
| Type | string |
| Default | unset |
| Example | arizuko_bot |
Pre-acquired OAuth access token; if unset, linkd runs an interactive auth flow.
| Read by | linkd / linkd/main.go:62 |
|---|---|
| Type | string |
| Default | "" |
| Example | AQX... |
Base URL of the LinkedIn REST API.
| Read by | linkd / linkd/main.go:69 |
|---|---|
| Type | URL |
| Default | https://api.linkedin.com |
| Example | https://api.linkedin.com |
Allow the agent to publish posts without explicit operator confirmation.
| Read by | linkd / linkd/main.go:72 |
|---|---|
| Type | bool ("true") |
| Default | false |
| Example | true |
OAuth client id of the registered LinkedIn app.
| Read by | linkd / linkd/main.go:60 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | 77abcde |
OAuth client secret of the registered LinkedIn app.
| Read by | linkd / linkd/main.go:61 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | xyz123 |
Base URL for the LinkedIn OAuth endpoints.
| Read by | linkd / linkd/main.go:70 |
|---|---|
| Type | URL |
| Default | https://www.linkedin.com |
| Example | https://www.linkedin.com |
Cadence at which linkd polls for new messages.
| Read by | linkd / linkd/main.go:71 |
|---|---|
| Type | Go duration string |
| Default | 300s |
| Example | 60s |
Refresh token used to mint new access tokens.
| Read by | linkd / linkd/main.go:63 |
|---|---|
| Type | string |
| Default | "" |
| Example | AQR... |
Slack xoxb- bot token used by the Web API and Events API client.
| Read by | slakd / slakd/main.go:57 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | xoxb-... |
Shared secret Slack uses to sign incoming event webhooks; slakd verifies X-Slack-Signature against it.
| Read by | slakd / slakd/main.go:58 (MustEnv) |
|---|---|
| Type | string |
| Default | required |
| Example | 8f742231... |
Adapter-side override for CHANNEL_SECRET: slakd sends this value instead of CHANNEL_SECRET when registering with gated. Note: gated currently verifies all registration requests against the single shared CHANNEL_SECRET, so this must equal CHANNEL_SECRET in production. Per-adapter gateway verification is not yet implemented.
| Read by | slakd / slakd/main.go:60 |
|---|---|
| Type | string |
| Default | falls back to CHANNEL_SECRET |
| Example | slk-... |
TTL (seconds) of the Slack user-info cache; lower values cost more API quota.
| Read by | slakd / slakd/main.go:64 |
|---|---|
| Type | int (seconds) |
| Default | 900 (15 min) |
| Example | 3600 |
Per-adapter override for CHANNEL_SECRET used by teled when registering with gated. See specs/6/H.
| Read by | teled / teled/main.go |
|---|---|
| Type | string |
| Default | falls back to CHANNEL_SECRET |
| Example | tg-... |
Per-adapter override for CHANNEL_SECRET used by discd. See specs/6/H.
| Read by | discd / discd/main.go |
|---|---|
| Type | string |
| Default | falls back to CHANNEL_SECRET |
| Example | dc-... |
Per-adapter override for CHANNEL_SECRET used by emaid. See specs/6/H.
| Read by | emaid / emaid/main.go |
|---|---|
| Type | string |
| Default | falls back to CHANNEL_SECRET |
| Example | em-... |
Per-adapter override for CHANNEL_SECRET used by mastd. See specs/6/H.
| Read by | mastd / mastd/main.go |
|---|---|
| Type | string |
| Default | falls back to CHANNEL_SECRET |
| Example | ma-... |
Per-adapter override for CHANNEL_SECRET used by bskyd. See specs/6/H.
| Read by | bskyd / bskyd/main.go |
|---|---|
| Type | string |
| Default | falls back to CHANNEL_SECRET |
| Example | bs-... |
Per-adapter override for CHANNEL_SECRET used by reditd. See specs/6/H.
| Read by | reditd / reditd/main.go |
|---|---|
| Type | string |
| Default | falls back to CHANNEL_SECRET |
| Example | rd-... |
Per-adapter override for CHANNEL_SECRET used by linkd. See specs/6/H.
| Read by | linkd / linkd/main.go |
|---|---|
| Type | string |
| Default | falls back to CHANNEL_SECRET |
| Example | li-... |
Per-adapter override for CHANNEL_SECRET used by whapd. See specs/6/H.
| Read by | whapd / whapd/src/main.ts |
|---|---|
| Type | string |
| Default | falls back to CHANNEL_SECRET |
| Example | wa-... |
Per-adapter override for CHANNEL_SECRET used by twitd. See specs/6/H.
| Read by | twitd / twitd/src/main.ts |
|---|---|
| Type | string |
| Default | falls back to CHANNEL_SECRET |
| Example | tw-... |
sigoden/dufs wrapped in alpine for the healthcheck (davd/Dockerfile). Its config is CLI args and dufs's own env vars, not arizuko's.TEST_*, SMOKE_INSTANCE (Makefile-only). Omitted by scope.XDG_CONFIG_HOME, HOME, CRACKBOX_LIBEXEC are read inside the crackbox component when it runs standalone. The arizuko-side touchpoints are CRACKBOX_ADMIN_API, CRACKBOX_ADMIN_SECRET, CRACKBOX_PROXY_URL.