Environment variables

ZPA credentials

Required. The backend exits at startup when any of these are missing.

Var	Purpose
`ZPA_CLIENT_ID`	OAuth client ID (ZIdentity).
`ZPA_CLIENT_SECRET`	OAuth client secret.
`ZPA_CUSTOMER_ID`	Numeric customer ID.
`ZPA_VANITY`	Vanity domain (the part before `.zslogin.net`).
`ZPA_IDP`	Default IdP ID for SCIM operand resolution.

example.env in the repo root contains the empty shape.

Identity / proxy trust

Var	Default	Purpose
`TRUSTED_PROXIES`	empty	Comma-separated CIDRs of proxies allowed to set `Remote-User`, `Remote-Email`, `Remote-Groups`, `Remote-Name`. Peers outside these CIDRs have the headers stripped before any handler runs.

In the Docker stack, TRUSTED_PROXIES is set to 172.16.0.0/12,10.0.0.0/8 (covers Docker bridge networks). For native runs without a forward-auth proxy, leave empty.

Logging

Var	Default	Purpose
`LOG_DIR`	`${XDG_CONFIG_HOME}/painscaler/logs`	Rotated JSONL output directory.
`LOG_FILE`	`painscaler.log`	Filename inside `LOG_DIR`.
`LOG_LEVEL`	`info`	`debug` / `info` / `warn` / `error`.
`LOG_MAX_SIZE_MB`	`50`	Rotate when the file exceeds this size.
`LOG_MAX_BACKUPS`	`10`	Number of rotated files retained.
`LOG_MAX_AGE_DAYS`	`30`	Maximum age of rotated files.
`LOG_COMPRESS`	`true`	Gzip rotated files.

Errors mirror to stderr regardless of LOG_LEVEL.

Storage

The simulation history SQLite database lives at:

${XDG_CONFIG_HOME}/painscaler/runs.db

In the Docker image, XDG_CONFIG_HOME resolves to /data. The path is /data/painscaler/runs.db on the painscaler_data named volume. Logs are written beside it at /data/logs/painscaler.log.

Frontend (build-time)

Vite reads from frontend/.env:

Var	Purpose
`VITE_API_BASE`	Dev proxy and production fetch base. Default: `/api`.

Out-of-band configuration

Authelia secrets are generated by make init in deploy/ and live in deploy/secrets/ (mode 600, gitignored). Rotate with make rotate.
Caddy local CA is generated on first start and persisted in the caddy_data volume. Extract with make ca.