Skip to main content
All configuration is done through environment variables in the .env file. Copy .env.example to .env and fill in your values.

Domain configuration

VariableRequiredDefaultDescription
HOSTYestale.localHostname without protocol (used for Docker networking and emails)
SITE_URLYeshttps://tale.localFull canonical URL with protocol (used for external links and auth callbacks)
BASE_PATHNoBase path for subpath deployments (e.g., /app). Leave empty for root deployments
SITE_URL must match the URL users access in their browser, including any non-standard ports (e.g., https://example.com:8443).

TLS/SSL

VariableRequiredDefaultDescription
TLS_MODENoselfsignedCertificate handling: selfsigned, letsencrypt, or external
TLS_EMAILNoEmail for Let’s Encrypt notifications (recommended for production)
  • selfsigned: Self-signed certificates for development. Browser shows a warning.
  • letsencrypt: Free trusted certificates from Let’s Encrypt. Requires a valid public domain and ports 80/443 accessible.
  • external: TLS handled by an external reverse proxy. Caddy listens on HTTP only.

Security secrets

VariableRequiredDescription
BETTER_AUTH_SECRETYesAuth session signing key. Generate with: openssl rand -base64 32
ENCRYPTION_SECRET_HEXYesEncryption key for sensitive data. Generate with: openssl rand -hex 32
INSTANCE_SECRETNoConvex instance secret. Generate with: openssl rand -hex 32
Important: The .env.example ships with example secrets. You must replace them with your own generated values before starting, even in local development.

AI providers

AI provider configuration (API keys, base URLs, models) is managed through provider files in the providers/ directory, not environment variables. See the Settings > Providers page in the management UI or edit provider JSON files directly.
  • providers/<name>.json — public config (base URL, models, tags)
  • providers/<name>.secrets.json — SOPS-encrypted API keys (auto-generated by tale init)

Database

VariableRequiredDefaultDescription
DB_PASSWORDYesPassword for the self-hosted PostgreSQL database
POSTGRES_URLNoOverride the auto-generated database connection URL. If not set, constructed as postgresql://tale:${DB_PASSWORD}@db:5432

Error tracking

VariableRequiredDefaultDescription
SENTRY_DSNNoSentry DSN for error tracking. Compatible with GlitchTip and Bugsink
If not set, error tracking is disabled and errors only appear in Docker logs.

Monitoring

VariableRequiredDefaultDescription
METRICS_BEARER_TOKENNoBearer token for external access to Prometheus metrics
When unset, all /metrics/* endpoints return 401. See Operations for endpoint details.

Service URLs

These are automatically configured in Docker Compose but can be overridden for custom setups:
VariableDefaultDescription
CRAWLER_URLhttp://crawler:8002Crawler service for website crawling
RAG_URLhttp://rag:8001RAG service for document indexing and search

Docker deployment

VariableRequiredDefaultDescription
PULL_POLICYNoSet to always to use pre-built images from GitHub
VERSIONNoImage version tag (e.g., latest, v1.0.0). Used with PULL_POLICY=always

Microsoft Entra ID SSO

These variables are only needed if you configure SSO through environment variables instead of the in-app Settings > Integrations UI.
VariableRequiredDescription
AUTH_MICROSOFT_ENTRA_ID_IDNoMicrosoft Entra ID application (client) ID
AUTH_MICROSOFT_ENTRA_ID_SECRETNoMicrosoft Entra ID client secret
AUTH_MICROSOFT_ENTRA_ID_TENANT_IDNoMicrosoft Entra ID tenant ID

Trusted headers authentication

VariableRequiredDescription
TRUSTED_HEADERS_ENABLEDNoSet to true to enable trusted headers authentication
TRUSTED_HEADERS_INTERNAL_SECRETNoShared secret for validating trusted header requests
See the Authentication guide for details on configuring trusted headers.
Last modified on April 3, 2026