Variables prefixed DOCKMESH_ configure the server binary at boot. They cannot be changed at runtime — set them in the systemd service file or Docker environment and restart.
For runtime-configurable settings (reverse proxy toggle, scanner toggle, etc.), use Settings → System in the UI.
Variable Default Description DOCKMESH_HTTP_ADDR:8080HTTP listen address for the UI and API DOCKMESH_AGENT_LISTEN:8443mTLS listen address for agent connections DOCKMESH_DATA_DIR./dataParent directory for DB + CA state DOCKMESH_DB_PATH$DATA_DIR/dockmesh.dbSQLite path; ignored if DOCKMESH_DB_URL is set DOCKMESH_DB_URL— PostgreSQL URL, e.g. postgres://user:pass@host/dbname DOCKMESH_STACKS_ROOT./stacksRoot directory for stack compose files DOCKMESH_LOG_LEVELinfodebug, info, warn, errorDOCKMESH_LOG_FORMATtexttext or json
Variable Default Description DOCKMESH_TLS_CERT— Path to server cert (enables HTTPS on HTTP_ADDR) DOCKMESH_TLS_KEY— Path to server private key DOCKMESH_CA_PASSPHRASE— Extra passphrase for CA private key encryption
Variable Default Description DOCKMESH_AGENT_SANS— Comma-separated extra SANs for agent-facing TLS cert DOCKMESH_AGENT_CERT_LIFETIME720hHow long agent certs are valid (30 days default) DOCKMESH_AGENT_RENEWAL_WINDOW168hHow long before expiry agents attempt renewal (7 days)
Variable Default Description DOCKMESH_DOCKER_HOSTunix:///var/run/docker.sockDocker daemon socket DOCKMESH_DOCKER_TLS_VERIFYfalseEnable mTLS to Docker daemon DOCKMESH_DOCKER_CERT_PATH— Path to Docker client certs
Variable Default Description DOCKMESH_BASE_URL— Public URL for the dockmesh server (e.g. https://dockmesh.example.com) — used in emails, OIDC callbacks DOCKMESH_AGENT_PUBLIC_URL— Public wss:// URL agents use to connect back
Variable Default Description DOCKMESH_REVERSE_PROXYtrueEnable embedded Caddy (runtime-overridable via UI) DOCKMESH_VULN_SCANNERtrueEnable embedded Grype scanner DOCKMESH_METRICS_AUTHtrueRequire auth on /metrics endpoint
Variable Default Description DOCKMESH_JWT_SECRET(auto-generated) JWT signing secret; auto-generated on first boot, stored in DB DOCKMESH_SESSION_TIMEOUT15mAccess token lifetime DOCKMESH_REFRESH_TIMEOUT168hRefresh token lifetime (7 days) DOCKMESH_BOOTSTRAP_ADMIN_PASSWORD— Override auto-generated admin password on first boot
Variable Default Description DOCKMESH_RATE_LIMIT_ANONYMOUS60Requests per minute for unauthenticated DOCKMESH_RATE_LIMIT_AUTHENTICATED600Requests per minute for authenticated DOCKMESH_RATE_LIMIT_BURST20Burst size
Variable Default Description DOCKMESH_STATS_INTERVAL30sHow often agents collect container stats DOCKMESH_STATS_RETENTION720hHow long to keep per-container stats (30 days)
Variable Default Description DOCKMESH_DEBUG_PPROFfalseEnable pprof endpoint at /debug/pprof/ DOCKMESH_TRACE_FILE— Write Go execution trace to file (for performance analysis)
Environment = " DOCKMESH_HTTP_ADDR=:8080 "
Environment = " DOCKMESH_DATA_DIR=/opt/dockmesh/data "
Environment = " DOCKMESH_STACKS_ROOT=/opt/dockmesh/stacks "
Environment = " DOCKMESH_BASE_URL=https://dockmesh.example.com "
Environment = " DOCKMESH_AGENT_PUBLIC_URL=wss://dockmesh.example.com:8443 "
Environment = " DOCKMESH_LOG_FORMAT=json "
ExecStart =/usr/local/bin/dockmesh
-e DOCKMESH_BASE_URL=https://dockmesh.example.com \
-e DOCKMESH_LOG_FORMAT=json \
-v /var/run/docker.sock:/var/run/docker.sock \
-v dockmesh-data:/opt/dockmesh/data \
ghcr.io/blinkmsp/dockmesh:latest
