Environment Variables
Compose files use environment variables for configuration. dockmesh extends this with global variables injected into every stack, plus host-scoped variables that only apply to stacks on specific hosts.
Precedence
Section titled “Precedence”When a stack deploys, dockmesh resolves variables in this order (highest wins):
- Stack
.envfile (in the stack directory on disk) - Stack-level vars configured in the UI for this specific stack
- Host-scoped globals matching the stack’s host
- Organization globals (apply everywhere)
- System defaults (if the Compose file has
${VAR:-default})
This lets you set TZ=Europe/Berlin once as a global and have it injected into every container, while still overriding it for a specific stack if needed.
Global variables
Section titled “Global variables”Environment in the sidebar manages organization-wide variables.
Common globals:
| Variable | Example | Why |
|---|---|---|
TZ | Europe/Berlin | Consistent timezone across containers |
PUID / PGID | 1000 / 1000 | LinuxServer.io convention for file ownership |
SMTP_HOST | mail.example.com | Shared email server across all apps |
LOKI_URL | http://loki:3100 | Shared log shipping |
SENTRY_DSN | https://... | Shared error tracking |
Host-scoped variables
Section titled “Host-scoped variables”Some variables should differ per environment. Tag globals with a host tag:
DATABASE_HOST=prod-db.internal— only on hosts taggedprodDATABASE_HOST=staging-db.internal— only on hosts taggedstagingLOG_LEVEL=debug— only on hosts taggeddev
Secrets
Section titled “Secrets”Any variable with a name matching *_PASSWORD, *_SECRET, *_TOKEN, *_KEY is stored encrypted at rest and masked in the UI by default. A Show secrets toggle (RBAC-gated) reveals the raw values.
For rotating secrets, edit in place — new deploys pick up the new value. Already-running containers need to be restarted.
For production secrets you don’t want in the dockmesh database at all, use Docker’s native secrets with an external secret store (Vault, SOPS, etc.) and reference them in your Compose file directly.
Import from .env file
Section titled “Import from .env file”Environment → Import accepts a standard .env file:
TZ=Europe/BerlinPUID=1000SMTP_HOST=mail.example.comDATABASE_PASSWORD=s3cr3tLines starting with # are preserved as comments.
Export
Section titled “Export”Environment → Export dumps the current globals to a .env file for backup or migration to another dockmesh instance.
Using in Compose
Section titled “Using in Compose”Reference globals like any env var:
services: app: image: nginx environment: - TZ - PUID - DATABASE_URL=postgres://user:${DATABASE_PASSWORD}@db/appShort form (- TZ) imports the variable by name from the environment. Long form with = uses interpolation.
Every change to a global variable is logged — who changed what, when, from where. Use this to trace “who changed the SMTP password at 2am”.
See also
Section titled “See also”- Stack Management — where stack-level vars are edited
- Audit Log — env var change history
- RBAC —
env.read_secretspermission