env.template

# Core Application
ROMM_BASE_PATH=/romm  # Base folder path for library, resources and assets
ROMM_TMP_PATH=  # Custom temporary directory path
ROMM_BASE_URL=http://0.0.0.0  # Base URL used when rendering container log links
ROMM_PORT=8080  # Port on which the application listens
KIOSK_MODE=false  # Read-only mode for public displays or kiosks

# Database
ROMM_DB_DRIVER=mariadb  # Database driver to use (mariadb, mysql, postgresql)
DB_HOST=  # Host name of the database instance [REQUIRED]
DB_PORT=3306  # Port number of the database instance
DB_NAME=romm  # Database name (should match MYSQL_DATABASE in MariaDB)
DB_USER=  # Database username (should match MARIADB_USER in MariaDB) [REQUIRED]
DB_PASSWD=  # Database password (should match MARIADB_PASSWORD in MariaDB) [REQUIRED]
DB_ROOT_PASSWD=  # Database root user password (only used by the bundled MariaDB container)
DB_QUERY_JSON=  # Extra query parameters for the database connection, as JSON

# Redis/Valkey
REDIS_HOST=127.0.0.1  # Host name of the Redis/Valkey instance
REDIS_PORT=6379  # Port number of the Redis/Valkey instance
REDIS_USERNAME=  # Username for the Redis/Valkey instance
REDIS_PASSWORD=  # Password for the Redis/Valkey instance
REDIS_DB=0  # Database number for the Redis/Valkey instance
REDIS_SSL=false  # Enable SSL (rediss://) for the Redis/Valkey connection

# Authentication
ROMM_AUTH_SECRET_KEY=  # App secret, generate with `openssl rand -hex 32` [REQUIRED]
OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS=1800  # Access token lifetime in seconds
OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS=604800  # Refresh token lifetime in seconds
SESSION_MAX_AGE_SECONDS=1209600  # Maximum age of a session in seconds
INVITE_TOKEN_EXPIRY_SECONDS=600  # Invite token lifetime in seconds
DISABLE_DOWNLOAD_ENDPOINT_AUTH=false  # Disable auth on the download endpoint for WebRcade/Tinfoil
DISABLE_CSRF_PROTECTION=false  # Disable CSRF protection (not recommended)
DISABLE_USERPASS_LOGIN=false  # Disable username/password login when using OIDC
DISABLE_SETUP_WIZARD=false  # Skip the first-boot setup wizard

# OpenID Connect
OIDC_ENABLED=false  # Enable OpenID Connect authentication
OIDC_AUTOLOGIN=false  # Skip the OIDC button on the login page and auto-redirect
OIDC_PROVIDER=  # Name of the OIDC provider in use
OIDC_CLIENT_ID=  # Client ID for OIDC authentication
OIDC_CLIENT_SECRET=  # Client secret for OIDC authentication
OIDC_REDIRECT_URI=  # Absolute redirect URI for OIDC authentication
OIDC_SERVER_APPLICATION_URL=  # Absolute URL of the OIDC server application
OIDC_SERVER_METADATA_URL=  # URL to the OIDC provider metadata endpoint
OIDC_CLAIM_ROLES=  # OIDC claim containing user roles
OIDC_ROLE_VIEWER=  # Role value mapping to viewer permissions
OIDC_ROLE_EDITOR=  # Role value mapping to editor permissions
OIDC_ROLE_ADMIN=  # Role value mapping to admin permissions
OIDC_TLS_CACERTFILE=  # Path to file containing trusted CA certificates
OIDC_USERNAME_ATTRIBUTE=preferred_username  # Attribute on OIDC user info used as the username
OIDC_RP_INITIATED_LOGOUT=false  # Enable RP-initiated logout flow
OIDC_END_SESSION_ENDPOINT=  # OIDC end-session endpoint override URL

# Metadata Providers
IGDB_CLIENT_ID=  # Client ID for the IGDB API
IGDB_CLIENT_SECRET=  # Client secret for the IGDB API
MOBYGAMES_API_KEY=  # MobyGames secret API key
SCREENSCRAPER_USER=  # Screenscraper username
SCREENSCRAPER_PASSWORD=  # Screenscraper password
STEAMGRIDDB_API_KEY=  # SteamGridDB secret API key
RETROACHIEVEMENTS_API_KEY=  # RetroAchievements secret API key
REFRESH_RETROACHIEVEMENTS_CACHE_DAYS=30  # RetroAchievements metadata cache refresh interval in days
PLAYMATCH_API_ENABLED=false  # Enable PlayMatch API integration
LAUNCHBOX_API_ENABLED=false  # Enable LaunchBox API integration
HASHEOUS_API_ENABLED=false  # Enable Hasheous API integration
FLASHPOINT_API_ENABLED=false  # Enable Flashpoint API integration
HLTB_API_ENABLED=false  # Enable HowLongToBeat API integration
TGDB_API_ENABLED=false  # Enable TheGamesDB API integration

# Scans & Tasks
SCAN_TIMEOUT=14400  # Timeout for background scan/rescan tasks in seconds
SCAN_WORKERS=1  # Number of worker processes for scanning tasks
TASK_TIMEOUT=300  # Timeout for other background tasks in seconds
TASK_RESULT_TTL=86400  # How long to keep task results in Valkey in seconds
SEVEN_ZIP_TIMEOUT=60  # Timeout for 7-Zip operations in seconds
ENABLE_RESCAN_ON_FILESYSTEM_CHANGE=false  # Re-scan the library automatically when the filesystem changes
RESCAN_ON_FILESYSTEM_CHANGE_DELAY=5  # Delay in minutes before re-scanning after a filesystem change
ENABLE_SCHEDULED_RESCAN=false  # Enable scheduled library re-scans
SCHEDULED_RESCAN_CRON=0 3 * * *  # Cron expression for scheduled re-scans
ENABLE_SCHEDULED_UPDATE_SWITCH_TITLEDB=false  # Enable scheduled Switch TitleDB index updates
SCHEDULED_UPDATE_SWITCH_TITLEDB_CRON=0 4 * * *  # Cron expression for scheduled Switch TitleDB updates
ENABLE_SCHEDULED_UPDATE_LAUNCHBOX_METADATA=false  # Enable scheduled LaunchBox metadata updates
SCHEDULED_UPDATE_LAUNCHBOX_METADATA_CRON=0 4 * * *  # Cron expression for scheduled LaunchBox metadata updates
ENABLE_SCHEDULED_CONVERT_IMAGES_TO_WEBP=false  # Enable scheduled conversion of images to WebP
SCHEDULED_CONVERT_IMAGES_TO_WEBP_CRON=0 4 * * *  # Cron expression for scheduled WebP conversion
ENABLE_SCHEDULED_RETROACHIEVEMENTS_PROGRESS_SYNC=false  # Enable scheduled RetroAchievements progress sync
SCHEDULED_RETROACHIEVEMENTS_PROGRESS_SYNC_CRON=0 4 * * *  # Cron expression for scheduled RetroAchievements sync

# Sync
SYNC_BASE_PATH=  # Base folder for sync state (defaults to $ROMM_BASE_PATH/sync)
ENABLE_SYNC_FOLDER_WATCHER=false  # Watch the sync folder and trigger scans on change
SYNC_FOLDER_SCAN_DELAY=2  # Delay in minutes before scanning after a sync folder change
ENABLE_SYNC_PUSH_PULL=false  # Enable scheduled sync push/pull
SYNC_PUSH_PULL_CRON=*/30 * * * *  # Cron expression for scheduled sync push/pull
SYNC_SSH_KEYS_PATH=  # Path to SSH keys for sync remotes (defaults to $ROMM_BASE_PATH/sync/keys)
SYNC_SSH_KNOWN_HOSTS_PATH=  # Path to SSH known_hosts (defaults to $ROMM_BASE_PATH/sync/known_hosts)

# Emulation
DISABLE_EMULATOR_JS=false  # Disable in-browser play via EmulatorJS
DISABLE_RUFFLE_RS=false  # Disable in-browser Flash playback via RuffleRS

# Integrations
YOUTUBE_BASE_URL=https://www.youtube.com  # Base URL for alternate YouTube frontends (Piped, Invidious, etc.)
TINFOIL_WELCOME_MESSAGE="RomM Switch Library"  # Welcome message shown in Tinfoil Switch clients

# Logging
LOGLEVEL=INFO  # Application log level
FORCE_COLOR=false  # Force colored log output
NO_COLOR=false  # Disable colored log output

# Web Server
WEB_SERVER_CONCURRENCY=1  # Number of worker processes (recommended: 2 × CPU cores + 1)
WEB_SERVER_TIMEOUT=300  # Timeout for web server requests in seconds
WEB_SERVER_KEEPALIVE=2  # Keep-Alive connection wait time in seconds
WEB_SERVER_MAX_REQUESTS=1000  # Maximum requests a worker processes before restarting
WEB_SERVER_MAX_REQUESTS_JITTER=100  # Random jitter added to max requests value
WEB_SERVER_WORKER_CONNECTIONS=1000  # Maximum simultaneous clients per worker process
WEB_SERVER_GUNICORN_WAIT_SECONDS=30  # Seconds to wait for Gunicorn to start before giving up
IPV4_ONLY=false  # Bind only to IPv4

# Proxy
HTTP_PROXY=  # HTTP proxy URL for outbound requests
HTTPS_PROXY=  # HTTPS proxy URL for outbound requests
NO_PROXY=  # Comma-separated list of hosts to bypass the proxy

# Observability
SENTRY_DSN=  # DSN for Sentry error tracking

# Development
DEV_MODE=false  # Enable development mode (debugging, hot-reloading)
DEV_HOST=127.0.0.1  # Host for the development server
DEV_PORT=5000  # Port for the development server
DEV_HTTPS=false  # Enable HTTPS in the development server
DEV_SQL_ECHO=false  # Log all SQL queries in development mode
POSTGRES_DB=authentik  # Postgres database name for the Authentik dev stack
POSTGRES_USER=authentik  # Postgres user for the Authentik dev stack
POSTGRES_PASSWORD=authentik  # Postgres password for the Authentik dev stack
AUTHENTIK_SECRET_KEY=  # Authentik secret key
AUTHENTIK_BOOTSTRAP_PASSWORD=  # Initial Authentik admin bootstrap password