# neuronetz-gateway — environment configuration (SPEC §7). # # Copy to `.env` and adjust. `.env` is gitignored and MUST NOT be committed. # All values here are SAFE EXAMPLES — change every secret before any real deploy. # ──────────────────────────── Service ──────────────────────────── GATEWAY_BIND_HOST=0.0.0.0 GATEWAY_BIND_PORT=8080 GATEWAY_LOG_LEVEL=INFO GATEWAY_LOG_FORMAT=json # json|console GATEWAY_REQUEST_ID_HEADER=X-Request-ID GATEWAY_TRUSTED_PROXIES=127.0.0.1,nginx-proxy # for X-Forwarded-For # ──────────── Public hostname (jwilder-proxy / acme-companion) ─────── # These are consumed by docker-compose.yml's gateway service so that the # host's nginx-proxy stack routes TLS-terminated traffic for your domain. # Mirrors the pattern used by neuro-landing. GATEWAY_VIRTUAL_HOST=api.neuronetz.ai LETSENCRYPT_EMAIL=admin@neuronetz.ai # ──────────────────────── Volume adoption ──────────────────────── # Override the Docker volume names if an EXISTING volume on the host holds # data this stack should adopt (e.g. models pulled by a previous Ollama # deployment). Leave unset to use the default per-project names. # # Example (matches the neuronetz-ai-01 host): # OLLAMA_DATA_VOLUME=neuro-ollama_ollama-data # POSTGRES_DATA_VOLUME=neuro-gateway_postgres_data OLLAMA_DATA_VOLUME= POSTGRES_DATA_VOLUME= # ──────────────────────────── Upstream ─────────────────────────── OLLAMA_BASE_URL=http://ollama:11434 OLLAMA_CONNECT_TIMEOUT_S=5 OLLAMA_READ_TIMEOUT_S=600 OLLAMA_MAX_CONNECTIONS=64 # If you front Ollama with an auth proxy (e.g. an external host like # https://ollama.neuronetz.ai requiring a Bearer token), set the token here. # The value never appears in logs/errors — it's wrapped in pydantic SecretStr. # Leave empty to send no Authorization header (the default for an in-stack # ollama service on the private Docker network). OLLAMA_AUTH_TOKEN= # Override only if your auth proxy expects a non-standard header. For # Authorization the scheme prefix (default: Bearer) is included; for any other # header name the raw token is sent. OLLAMA_AUTH_HEADER=Authorization OLLAMA_AUTH_SCHEME=Bearer # ─────────────────────── Multi-backend (opt-in) ────────────────── # Aggregate models across SEVERAL Ollama backends. When set (non-empty JSON # list), this REPLACES the single-backend config above — include each backend # explicitly, in priority order. Requests for a given model route to the # FIRST backend that hosts it; on transport errors the gateway transparently # fails over to the next backend that has the same model. # # Each entry: {name, base_url, [auth_token], [auth_header], [auth_scheme]} # Example (embedded GPU container + publicly-fronted auth-protected Ollama): # OLLAMA_BACKENDS='[ # {"name":"embedded","base_url":"http://ollama:11434"}, # {"name":"public","base_url":"https://ollama.neuronetz.ai","auth_token":"YOUR_TOKEN"} # ]' OLLAMA_BACKENDS= # ──────────────────────── Model discovery (§4.6) ───────────────── MODEL_DISCOVERY_REFRESH_S=60 MODEL_DISCOVERY_CACHE_TTL_S=120 # ──────────────────────────── Database ─────────────────────────── # Compose builds DATABASE_URL from the POSTGRES_* parts below, but the gateway # also accepts a full DATABASE_URL directly. DATABASE_URL=postgresql+asyncpg://gateway:changeme@postgres:5432/neuronetz DATABASE_POOL_SIZE=10 DATABASE_POOL_OVERFLOW=20 # Postgres container credentials (consumed by docker-compose). POSTGRES_USER=gateway POSTGRES_PASSWORD=changeme POSTGRES_DB=neuronetz # ──────────────────────────── Redis ────────────────────────────── REDIS_URL=redis://redis:6379/0 REDIS_KEY_CACHE_TTL_S=60 # ────────────────── Limits (defaults; DB overrides) ────────────── DEFAULT_RPM=60 DEFAULT_TPM=100000 DEFAULT_CONCURRENT=8 MAX_REQUEST_BODY_BYTES=262144 MAX_NUM_PREDICT=4096 # ──────────────────────────── Security ─────────────────────────── ARGON2_TIME_COST=3 ARGON2_MEMORY_COST_KIB=65536 ARGON2_PARALLELISM=4 AUTH_FAILURE_RATE_LIMIT_PER_IP_PER_MIN=20 # ──────────────────────────── Audit ────────────────────────────── AUDIT_BUFFER_SIZE=1000 PROMPT_LOG_DEFAULT_RETENTION_DAYS=30 AUDIT_LOG_DEFAULT_RETENTION_DAYS=365 # ──────────────── Playground / API docs (prod-safe: OFF) ───────── # Serve the playground HTML (owned by the docs agent) at /playground. PLAYGROUND_ENABLED=false PLAYGROUND_FILE=/app/playground/index.html # Enable FastAPI's /docs + /openapi.json (default off in production). DOCS_ENABLED=false