node.env.example

# Base dir for identity key, hub DB, operator key, TLS cert dir, invite-hash key.
TOWONEL_DATA_DIR=/var/lib/towonel

# Identity source: either a key file (default ${TOWONEL_DATA_DIR}/node.key) or
# an invite token (stateless).
# TOWONEL_IDENTITY_KEY_PATH=/custom/node.key
# TOWONEL_EDGE_INVITE_TOKEN=tt_edge_2_...

TOWONEL_HUB_ENABLED=true
TOWONEL_HUB_LISTEN_ADDR=0.0.0.0:8443
TOWONEL_HUB_HEALTH_LISTEN_ADDR=0.0.0.0:9091
TOWONEL_HUB_PUBLIC_URL=https://hub.example.eu:8443
# TOWONEL_HUB_OPERATOR_API_KEY_PATH=/custom/operator.key
TOWONEL_HUB_DNS_WEBHOOK_URL=https://dns-sidecar.internal/reconcile

# Auto-generated to ${TOWONEL_DATA_DIR}/invite_hash.key when unset.
# Back it up; losing it invalidates every outstanding invite.
# TOWONEL_INVITE_HASH_KEY=<openssl rand -hex 32>
# TOWONEL_INVITE_HASH_KEY_PATH=/custom/invite_hash.key

TOWONEL_HUB_DB_DRIVER=sqlite
# TOWONEL_HUB_DB_DSN=postgresql://user:pass@host/db
# TOWONEL_HUB_DB_MAX_OPEN_CONNS=25
# TOWONEL_HUB_DB_MAX_IDLE_CONNS=10

# Pin peer node_ids to close the MITM window at first contact.
TOWONEL_HUB_PEERS=[{"url":"https://hub-b.example.eu:8443","node_id":"<64 hex>"}]
# TOWONEL_HUB_SYNC_OPERATIONS=invite_redeem
# TOWONEL_ALLOW_UNPINNED_FEDERATION_PEERS=1

TOWONEL_TENANTS=[{"name":"alice","id":"<64 hex>","pq_public_key":"<base64url>","hostnames":["app.alice.test"]}]

TOWONEL_EDGE_ENABLED=true
TOWONEL_EDGE_LISTEN_ADDR=0.0.0.0:443
TOWONEL_EDGE_HEALTH_LISTEN_ADDR=0.0.0.0:9090
TOWONEL_EDGE_HUB_URLS=https://hub-a.example.eu:8443,https://hub-b.example.eu:8443
# Address agents/clients reach (the reverse proxy when one fronts the edge).
TOWONEL_EDGE_ADVERTISED_ADDRESSES=edge-a.example.eu:443
# TOWONEL_EDGE_LISTEN_WORKERS=4

# Leave TLS unset for pure passthrough. ACME_EMAIL required when TLS is on.
# TOWONEL_EDGE_TLS_CERT_DIR=/data/certs
# TOWONEL_EDGE_TLS_ACME_EMAIL=ops@example.eu
# TOWONEL_EDGE_TLS_ACME_STAGING=false