Skip to content
Logo probo
Get compliant
About The people and vision powering Probo Blog The latest news from Probo Stories Hear from our customers Pricing Plans and pricing for Probo Docs Documentation for Probo GitHub Explore our open-source compliance tools

Environment Variables (Docker Only)

This document provides a comprehensive reference for all environment variables used by the Docker entrypoint script to generate the YAML configuration file for probod.

How It Works

Section titled “How It Works”

When running Probo in Docker:

  1. With existing config file: If you mount a configuration file to /etc/probod/config.yml, it will be used as-is
  2. With environment variables: If no config file exists, the entrypoint script generates one from these environment variables
  3. Direct probod usage: The probod binary only accepts YAML configuration files via the -cfg-file flag

Configuration File

Section titled “Configuration File”
VariableDescriptionDefault ValueRequired
CONFIG_FILEPath to the configuration file/etc/probod/config.ymlNo

Observability

Section titled “Observability”

Metrics

Section titled “Metrics”
VariableDescriptionDefault ValueRequired
METRICS_ADDRAddress for Prometheus metrics endpointlocalhost:8081No

Tracing

Section titled “Tracing”
VariableDescriptionDefault ValueRequired
TRACING_ADDROpenTelemetry collector address for distributed tracinglocalhost:4317No
TRACING_MAX_BATCH_SIZEMaximum number of spans to batch before export512No
TRACING_BATCH_TIMEOUTTimeout in seconds for batching spans5No
TRACING_EXPORT_TIMEOUTTimeout in seconds for exporting traces30No
TRACING_MAX_QUEUE_SIZEMaximum queue size for spans waiting to be exported2048No

Application Configuration

Section titled “Application Configuration”
VariableDescriptionDefault ValueRequired
PROBOD_BASE_URLPublic hostname for the Probo instance (used for URL generation)http://localhost:8080No
PROBOD_ENCRYPTION_KEYBase64-encoded encryption key for sensitive data (32+ bytes)-Yes
CHROME_DP_ADDRChrome DevTools Protocol address for PDF generationlocalhost:9222No

API Configuration

Section titled “API Configuration”
VariableDescriptionDefault ValueRequired
API_ADDRAddress and port for the API server to bind to:8080No
API_CORS_ALLOWED_ORIGINSComma-separated list of allowed CORS originshttp://localhost:8080No

PostgreSQL Database

Section titled “PostgreSQL Database”
VariableDescriptionDefault ValueRequired
PG_ADDRPostgreSQL server address and portlocalhost:5432No
PG_USERNAMEPostgreSQL usernamepostgresNo
PG_PASSWORDPostgreSQL passwordpostgresNo
PG_DATABASEPostgreSQL database nameprobodNo
PG_POOL_SIZEMaximum number of connections in the database pool100No

Authentication

Section titled “Authentication”

User Authentication

Section titled “User Authentication”
VariableDescriptionDefault ValueRequired
AUTH_DISABLE_SIGNUPDisable user self-registrationfalseNo
AUTH_INVITATION_TOKEN_VALIDITYInvitation token validity duration in seconds3600 (1 hour)No

Authentication Cookies

Section titled “Authentication Cookies”
VariableDescriptionDefault ValueRequired
AUTH_COOKIE_NAMEName of the session cookieSSIDNo
AUTH_COOKIE_DOMAINDomain for the session cookielocalhostNo
AUTH_COOKIE_SECRETSecret key for signing session cookies (32+ bytes)-Yes
AUTH_COOKIE_DURATIONSession cookie validity duration in hours24No
AUTH_COOKIE_SECURESet Secure flag on cookies (use false for HTTP)trueNo

Password Security

Section titled “Password Security”
VariableDescriptionDefault ValueRequired
AUTH_PASSWORD_PEPPERSecret pepper value for password hashing (32+ bytes)-Yes
AUTH_PASSWORD_ITERATIONSNumber of PBKDF2 iterations for password hashing1000000No

Trust Center Authentication

Section titled “Trust Center Authentication”
VariableDescriptionDefault ValueRequired
TRUST_AUTH_COOKIE_NAMEName of the trust center token cookieTCTNo
TRUST_AUTH_COOKIE_DOMAINDomain for the trust center cookielocalhostNo
TRUST_AUTH_COOKIE_DURATIONTrust center cookie validity duration in hours24No
TRUST_AUTH_TOKEN_DURATIONTrust center access token validity duration in hours168 (7 days)No
TRUST_AUTH_REPORT_URL_DURATIONValidity duration for report URLs in minutes15No
TRUST_AUTH_TOKEN_SECRETSecret key for signing trust center tokens (32+ bytes)-Yes
TRUST_AUTH_SCOPEOAuth2 scope for trust center accesstrust_center_readonlyNo
TRUST_AUTH_TOKEN_TYPEToken type identifier for trust center tokenstrust_center_accessNo

AWS / S3 Storage

Section titled “AWS / S3 Storage”
VariableDescriptionDefault ValueRequired
AWS_REGIONAWS region for S3 storageus-east-1No
AWS_BUCKETS3 bucket name for file storageprobodNo
AWS_ACCESS_KEY_IDAWS access key ID (leave empty for IAM role)-No
AWS_SECRET_ACCESS_KEYAWS secret access key (leave empty for IAM role)-No
AWS_ENDPOINTCustom S3 endpoint (for SeaweedFS or S3-compatible services)-No
AWS_USE_PATH_STYLEUse path-style URLs (required for SeaweedFS)falseNo

Notifications

Section titled “Notifications”

Email (SMTP)

Section titled “Email (SMTP)”
VariableDescriptionDefault ValueRequired
MAILER_SENDER_NAMEDisplay name for outgoing emailsProboNo
MAILER_SENDER_EMAILEmail address for outgoing emailsno-reply@notification.getprobo.comNo
SMTP_ADDRSMTP server address and portlocalhost:1025No
SMTP_USERUsername for SMTP authentication-No
SMTP_PASSWORDPassword for SMTP authentication-No
SMTP_TLS_REQUIREDRequire TLS for SMTP connectionsfalseNo
MAILER_INTERVALInterval in seconds for processing email queue60No

Slack

Section titled “Slack”
VariableDescriptionDefault ValueRequired
SLACK_SENDER_INTERVALInterval in seconds for processing Slack notification queue60No

OpenAI Integration

Section titled “OpenAI Integration”
VariableDescriptionDefault ValueRequired
OPENAI_API_KEYOpenAI API key for AI-powered features-No
OPENAI_TEMPERATURETemperature parameter for OpenAI completions (0.0-2.0)0.1No
OPENAI_MODEL_NAMEOpenAI model name to usegpt-4oNo

SAML Authentication

Section titled “SAML Authentication”
VariableDescriptionDefault ValueRequired
SAML_SESSION_DURATIONSAML session validity duration in seconds604800 (7 days)No
SAML_CLEANUP_INTERVAL_SECONDSInterval in seconds for cleaning up expired SAML sessions (0=off)0 (disabled)No
SAML_CERTIFICATESAML service provider certificate in PEM formatautogeneratedNo
SAML_PRIVATE_KEYSAML service provider private key in PEM formatautogeneratedNo

Custom Domains

Section titled “Custom Domains”
VariableDescriptionDefault ValueRequired
CUSTOM_DOMAINS_RENEWAL_INTERVALInterval in seconds for checking certificate renewals3600 (1 hour)No
CUSTOM_DOMAINS_PROVISION_INTERVALInterval in seconds for provisioning new domains30No
CUSTOM_DOMAINS_CNAME_TARGETCNAME target for custom domainscustom.getprobo.comNo

ACME / Let’s Encrypt

Section titled “ACME / Let’s Encrypt”
VariableDescriptionDefault ValueRequired
ACME_DIRECTORYACME directory URL for certificate issuancehttps://acme-v02.api.letsencrypt.org/directoryNo
ACME_EMAILEmail address for ACME account registrationadmin@getprobo.comNo
ACME_KEY_TYPEKey type for ACME certificates (RSA2048, RSA4096, EC256, EC384)EC256No
ACME_ROOT_CACustom root CA certificate (PEM format)-No

Connectors

Section titled “Connectors”

Slack Connector (OAuth2)

Section titled “Slack Connector (OAuth2)”

These variables are only used if CONNECTOR_SLACK_CLIENT_ID is set.

VariableDescriptionDefault ValueRequired
CONNECTOR_SLACK_CLIENT_IDSlack OAuth2 app client ID-No
CONNECTOR_SLACK_CLIENT_SECRETSlack OAuth2 app client secret-Yes (if client ID set)
CONNECTOR_SLACK_REDIRECT_URIOAuth2 redirect URI for Slack connectorhttps://localhost:8080/api/console/v1/connectors/completeNo
CONNECTOR_SLACK_AUTH_URLSlack OAuth2 authorization endpointhttps://slack.com/oauth/v2/authorizeNo
CONNECTOR_SLACK_TOKEN_URLSlack OAuth2 token endpointhttps://slack.com/api/oauth.v2.accessNo
CONNECTOR_SLACK_SIGNING_SECRETSlack app signing secret for webhook verification-Yes (if client ID set)

Security Best Practices

Section titled “Security Best Practices”

Required Secrets

Section titled “Required Secrets”

The following environment variables are required and must be set to secure random values in production:

  1. PROBOD_ENCRYPTION_KEY - Generate with: openssl rand -base64 32
  2. AUTH_COOKIE_SECRET - Generate with: openssl rand -base64 32
  3. AUTH_PASSWORD_PEPPER - Generate with: openssl rand -base64 32
  4. TRUST_AUTH_TOKEN_SECRET - Generate with: openssl rand -base64 32

Secret Generation Example

Section titled “Secret Generation Example”
Terminal window
# Generate all required secrets
export PROBOD_ENCRYPTION_KEY=$(openssl rand -base64 32)
export AUTH_COOKIE_SECRET=$(openssl rand -base64 32)
export AUTH_PASSWORD_PEPPER=$(openssl rand -base64 32)
export TRUST_AUTH_TOKEN_SECRET=$(openssl rand -base64 32)


echo "PROBOD_ENCRYPTION_KEY=$PROBOD_ENCRYPTION_KEY"
echo "AUTH_COOKIE_SECRET=$AUTH_COOKIE_SECRET"
echo "AUTH_PASSWORD_PEPPER=$AUTH_PASSWORD_PEPPER"
echo "TRUST_AUTH_TOKEN_SECRET=$TRUST_AUTH_TOKEN_SECRET"

Docker Configuration Priority

Section titled “Docker Configuration Priority”

The Docker entrypoint script follows this priority order:

  1. If CONFIG_FILE exists (e.g., mounted from ConfigMap/volume), use it as-is
  2. Otherwise, generate config file from environment variables
  3. Environment variables use provided values or fall back to defaults
  4. Script fails if required variables are missing (marked with :? in bash)

For Non-Docker Deployments

Section titled “For Non-Docker Deployments”

If you’re running probod directly outside of Docker, you must provide a YAML configuration file:

Terminal window
probod -cfg-file /path/to/your/config.yaml

See the Config File for the complete YAML configuration format and examples.