# Base Configuration # The base URL where Tinyauth is accessible TINYAUTH_APPURL=https://auth.example.com # Log level: trace, debug, info, warn, error TINYAUTH_LOGLEVEL=info # Directory for static resources TINYAUTH_RESOURCESDIR=/data/resources # Path to SQLite database file TINYAUTH_DATABASEPATH=/data/tinyauth.db # Disable version heartbeat TINYAUTH_DISABLEANALYTICS=false # Disable static resource serving TINYAUTH_DISABLERESOURCES=false # Disable UI warning messages TINYAUTH_DISABLEUIWARNINGS=false # Server Configuration # Port to listen on TINYAUTH_SERVER_PORT=3000 # Interface to bind to (0.0.0.0 for all interfaces) TINYAUTH_SERVER_ADDRESS=0.0.0.0 # Unix socket path (optional, overrides port/address if set) TINYAUTH_SERVER_SOCKETPATH= # Comma-separated list of trusted proxy IPs/CIDRs TINYAUTH_SERVER_TRUSTEDPROXIES= # Authentication Configuration # Format: username:bcrypt_hash (use bcrypt to generate hash) TINYAUTH_AUTH_USERS=admin:$2a$10$example_bcrypt_hash_here # Path to external users file (optional) TINYAUTH_USERSFILE= # Enable secure cookies (requires HTTPS) TINYAUTH_SECURECOOKIE=true # Session expiry in seconds (7200 = 2 hours) TINYAUTH_SESSIONEXPIRY=7200 # Login timeout in seconds (300 = 5 minutes) TINYAUTH_LOGINTIMEOUT=300 # Maximum login retries before lockout TINYAUTH_LOGINMAXRETRIES=5 # OAuth Configuration # Regex pattern for allowed email addresses (e.g., /@example\.com$/) TINYAUTH_OAUTH_WHITELIST= # Provider ID to auto-redirect to (skips login page) TINYAUTH_OAUTH_AUTOREDIRECT= # OAuth Provider Configuration (replace MYPROVIDER with your provider name) TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_CLIENTID=your_client_id_here TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_CLIENTSECRET=your_client_secret_here TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_AUTHURL=https://provider.example.com/oauth/authorize TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_TOKENURL=https://provider.example.com/oauth/token TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_USERINFOURL=https://provider.example.com/oauth/userinfo TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_REDIRECTURL=https://auth.example.com/oauth/callback/myprovider TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_SCOPES=openid email profile TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_NAME=My OAuth Provider # Allow self-signed certificates TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_INSECURE=false # UI Customization # Custom title for login page TINYAUTH_UI_TITLE=Tinyauth # Message shown on forgot password page TINYAUTH_UI_FORGOTPASSWORDMESSAGE="Contact your administrator to reset your password" # Background image URL for login page TINYAUTH_UI_BACKGROUNDIMAGE= # LDAP Configuration # LDAP server address TINYAUTH_LDAP_ADDRESS=ldap://ldap.example.com:389 # DN for binding to LDAP server TINYAUTH_LDAP_BINDDN=cn=readonly,dc=example,dc=com # Password for bind DN TINYAUTH_LDAP_BINDPASSWORD=your_bind_password # Base DN for user searches TINYAUTH_LDAP_BASEDN=dc=example,dc=com # Search filter (%s will be replaced with username) TINYAUTH_LDAP_SEARCHFILTER=(&(uid=%s)(memberOf=cn=users,ou=groups,dc=example,dc=com)) # Allow insecure LDAP connections TINYAUTH_LDAP_INSECURE=false