n8n-install/.env.example

##### Change the name of this file to .env after updating it!

############
# [optional]
# Anonymous telemetry - helps improve the project
# Set to false to disable (default: true)
############
# SCARF_ANALYTICS=false

############
# [required]
# n8n credentials - you set this to whatever you want, just make it a long and secure string for both!
############

N8N_ENCRYPTION_KEY=
N8N_USER_MANAGEMENT_JWT_SECRET=
N8N_RUNNERS_AUTH_TOKEN=


############
# [required]
# grafana credentials - you set this to whatever you want, just make it a long and secure string for both!
############

GRAFANA_ADMIN_PASSWORD=


############
# [required]
# prometheus credentials - you set this to whatever you want, just make it a long and secure string for both!
############

PROMETHEUS_USERNAME=
PROMETHEUS_PASSWORD=


############
# [required]
# searxng credentials - you set this to whatever you want, just make it a long and secure string for both!
############

SEARXNG_USERNAME=
SEARXNG_PASSWORD=


############
# [required]
# Supabase Secrets

# YOU MUST CHANGE THESE BEFORE GOING INTO PRODUCTION
# Read these docs for any help: https://supabase.com/docs/guides/self-hosting/docker
# For the JWT Secret and keys, see: https://supabase.com/docs/guides/self-hosting/docker#generate-api-keys
# For the other secrets, see: https://supabase.com/docs/guides/self-hosting/docker#update-secrets
# You can really decide any value for POOLER_TENANT_ID like 1000.

# Note that using special symbols (like '%') can complicate things a bit for your Postgres password.
# If you use special symbols in your Postgres password, you must remember to percent-encode your password later if using the Postgres connection string, for example, postgresql://postgres.projectref:p%3Dword@aws-0-us-east-1.pooler.supabase.com:6543/postgres
############

POSTGRES_PASSWORD=
JWT_SECRET=
ANON_KEY=
SERVICE_ROLE_KEY=
DASHBOARD_USERNAME=
DASHBOARD_PASSWORD=
POOLER_TENANT_ID=1000


############
# [required] 
# Weaviate username and password
############

WEAVIATE_USERNAME=
WEAVIATE_API_KEY=


############
# [required]
# Qdrant API Key
############
QDRANT_API_KEY=


############
# [required]
# Neo4j username and password
############

NEO4J_AUTH_USERNAME=neo4j
NEO4J_AUTH_PASSWORD=


############
# [required]
# NocoDB JWT Secret (auto-generated)
############

NOCODB_JWT_SECRET=


############
# [required]
# Langfuse credentials
# Each of the secret keys you can set to whatever you want, just make it secure!
# For the encryption key, use the command `openssl rand -hex 32`
#   openssl is available by defualt on Linux/Mac
#   For Windows, you can use the 'Git Bash' terminal installed with git
############

CLICKHOUSE_PASSWORD=
MINIO_ROOT_PASSWORD=
LANGFUSE_SALT=
NEXTAUTH_SECRET=
ENCRYPTION_KEY=
LANGFUSE_INIT_PROJECT_PUBLIC_KEY=
LANGFUSE_INIT_PROJECT_SECRET_KEY=
LANGFUSE_INIT_USER_EMAIL=
LANGFUSE_INIT_USER_PASSWORD=

############
# [required]
# ComfyUI credentials - you set this to whatever you want, just make it a long and secure string for both!
############

COMFYUI_USERNAME=
COMFYUI_PASSWORD=

############
# [required]
# LibreTranslate credentials (for Caddy basic auth)
############
LT_USERNAME=
LT_PASSWORD=
LT_PASSWORD_HASH=

############
# [required for prod]
# Caddy Config

# By default listen on https://localhost:[service port] and don't use an email for SSL
# To change this for production:
# Uncomment all of these environment variables for the services you want exposed
# Note that you might not want to expose Ollama or SearXNG since they aren't secured by default
# Replace the placeholder value with the host for each service (like n8n.yourdomain.com)
# Replace internal by your email (require to create a Let's Encrypt certificate)
############

USER_DOMAIN_NAME=
LETSENCRYPT_EMAIL=
COMFYUI_HOSTNAME=comfyui.yourdomain.com
DATABASUS_HOSTNAME=databasus.yourdomain.com
DIFY_HOSTNAME=dify.yourdomain.com
DOCLING_HOSTNAME=docling.yourdomain.com
FLOWISE_HOSTNAME=flowise.yourdomain.com
GRAFANA_HOSTNAME=grafana.yourdomain.com
LANGFUSE_HOSTNAME=langfuse.yourdomain.com
LETTA_HOSTNAME=letta.yourdomain.com
LIGHTRAG_HOSTNAME=lightrag.yourdomain.com
LT_HOSTNAME=translate.yourdomain.com
N8N_HOSTNAME=n8n.yourdomain.com
NEO4J_HOSTNAME=neo4j.yourdomain.com
NOCODB_HOSTNAME=nocodb.yourdomain.com
PADDLEOCR_HOSTNAME=paddleocr.yourdomain.com
PORTAINER_HOSTNAME=portainer.yourdomain.com
POSTIZ_HOSTNAME=postiz.yourdomain.com
TEMPORAL_UI_HOSTNAME=temporal.yourdomain.com
PROMETHEUS_HOSTNAME=prometheus.yourdomain.com
QDRANT_HOSTNAME=qdrant.yourdomain.com
RAGAPP_HOSTNAME=ragapp.yourdomain.com
RAGFLOW_HOSTNAME=ragflow.yourdomain.com
SEARXNG_HOSTNAME=searxng.yourdomain.com
SUPABASE_HOSTNAME=supabase.yourdomain.com
WAHA_HOSTNAME=waha.yourdomain.com
WEAVIATE_HOSTNAME=weaviate.yourdomain.com
WEBUI_HOSTNAME=webui.yourdomain.com
WELCOME_HOSTNAME=welcome.yourdomain.com

############
# [required]
# Welcome Page credentials (for Caddy basic auth)
############

WELCOME_USERNAME=
WELCOME_PASSWORD=
WELCOME_PASSWORD_HASH=

# Everything below this point is optional.
# Default values will suffice unless you need more features/customization.

RUN_N8N_IMPORT=

############
# [optional]
# n8n configuration
############

# Number of n8n worker-runner pairs to generate.
# Each worker gets its own dedicated task runner sidecar.
# After changing, run: bash scripts/generate_n8n_workers.sh
# Defaults to 1 if unset.
N8N_WORKER_COUNT=1

# Enable offloading manual executions to workers (recommended for production).
# When true, the main n8n instance does not execute workflows, only coordinates.
OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS=true

# Maximum number of concurrent Code node executions per task runner. Defaults to 5.
N8N_RUNNERS_MAX_CONCURRENCY=5

N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES=true
EXECUTIONS_MODE=queue
N8N_LOG_LEVEL=info

NODES_EXCLUDE="[]"
N8N_LOG_OUTPUT=console

# Timezone for n8n and workflows (https://docs.n8n.io/hosting/configuration/environment-variables/timezone-localization/)
GENERIC_TIMEZONE=America/New_York

############
# [optional]
# n8n SMTP environment variables
############
N8N_EMAIL_MODE=smtp
N8N_SMTP_HOST=
N8N_SMTP_PORT=
N8N_SMTP_USER=
N8N_SMTP_PASS=
N8N_SMTP_OAUTH_SERVICE_CLIENT=
N8N_SMTP_OAUTH_PRIVATE_KEY=
N8N_SMTP_SENDER=
N8N_SMTP_SSL=true
N8N_SMTP_STARTTLS=true

############
# [required]
# PaddleOCR credentials
############

PADDLEOCR_USERNAME=
PADDLEOCR_PASSWORD=
PADDLEOCR_PASSWORD_HASH=

############
# [required]
# Docling credentials (for Caddy basic auth)
############

DOCLING_USERNAME=
DOCLING_PASSWORD=
DOCLING_PASSWORD_HASH=

############
# [required]
# RAGApp credentials - used for Basic Auth in Caddy
############

RAGAPP_USERNAME=
RAGAPP_PASSWORD=

############
# [required]
# LightRAG credentials (for built-in authentication)
# Username and password for web interface login
# API key for programmatic access to the API
############

LIGHTRAG_USERNAME=
LIGHTRAG_PASSWORD=
LIGHTRAG_API_KEY=

   #
   #
#######
 #####
   #

############
# LibreTranslate Configuration
# These map directly to container envs (LT_* in docker-compose)
############
LT_API_KEYS=false
LT_BATCH_LIMIT=
LT_CHAR_LIMIT=10000
LT_DEBUG=false
LT_FRONTEND_LANGUAGE_SOURCE=auto
LT_FRONTEND_LANGUAGE_TARGET=en
LT_FRONTEND_TIMEOUT=2000
LT_HOST=0.0.0.0
LT_LOAD_ONLY=en,ru
LT_METRICS=false
LT_PORT=5000
LT_REQ_LIMIT=
LT_SSL=false
LT_SUGGESTIONS=false
LT_THREADS=4
LT_UPDATE_MODELS=true

############
# Optional Google Authentication for Supabase
# Get these values from the Google Admin Console
############
# ENABLE_GOOGLE_SIGNUP=true
# GOOGLE_CLIENT_ID=
# GOOGLE_CLIENT_SECRET=
# GOOGLE_REDIRECT_URI=

############
# Optional SearXNG Config
# If you run a very small or a very large instance, you might want to change the amount of used uwsgi workers and threads per worker
# More workers (= processes) means that more search requests can be handled at the same time, but it also causes more resource usage
############

# SEARXNG_UWSGI_WORKERS=4
# SEARXNG_UWSGI_THREADS=4

############
# Database - You can change these to any PostgreSQL database that has logical replication enabled.
############

POSTGRES_HOST=db
POSTGRES_DB=postgres
POSTGRES_PORT=5432
POSTGRES_USER=postgres

# Service-specific database names
# New installations use dedicated databases per service
# Existing installations may use 'postgres' for backward compatibility
POSTIZ_DB_NAME=postiz
WAHA_DB_NAME=waha
LIGHTRAG_DB_NAME=lightrag

############
# Supavisor -- Database pooler and others that can be left as default values
############
POOLER_PROXY_PORT_TRANSACTION=6543
POOLER_DEFAULT_POOL_SIZE=20
POOLER_MAX_CLIENT_CONN=100
SECRET_KEY_BASE=
VAULT_ENC_KEY=
PG_META_CRYPTO_KEY=
# Pool size for internal metadata storage used by Supavisor
# This is separate from client connections and used only by Supavisor itself
POOLER_DB_POOL_SIZE=5


############
# API Proxy - Configuration for the Kong Reverse proxy.
############

KONG_HTTP_PORT=8000
KONG_HTTPS_PORT=8443


############
# API - Configuration for PostgREST.
############

PGRST_DB_SCHEMAS=public,storage,graphql_public


############
# Auth - Configuration for the GoTrue authentication server.
############

## General
SITE_URL=http://localhost:3000
ADDITIONAL_REDIRECT_URLS=
JWT_EXPIRY=3600
DISABLE_SIGNUP=false
API_EXTERNAL_URL=http://localhost:8000

## Mailer Config
MAILER_URLPATHS_CONFIRMATION="/auth/v1/verify"
MAILER_URLPATHS_INVITE="/auth/v1/verify"
MAILER_URLPATHS_RECOVERY="/auth/v1/verify"
MAILER_URLPATHS_EMAIL_CHANGE="/auth/v1/verify"

## Email auth
ENABLE_EMAIL_SIGNUP=true
ENABLE_EMAIL_AUTOCONFIRM=true
SMTP_ADMIN_EMAIL=admin@example.com
SMTP_HOST=supabase-mail
SMTP_PORT=2500
SMTP_USER=fake_mail_user
SMTP_PASS=fake_mail_password
SMTP_SENDER_NAME=fake_sender
ENABLE_ANONYMOUS_USERS=false

## Phone auth
ENABLE_PHONE_SIGNUP=true
ENABLE_PHONE_AUTOCONFIRM=true


############
# Studio - Configuration for the Dashboard
############

STUDIO_DEFAULT_ORGANIZATION=Organization
STUDIO_DEFAULT_PROJECT=Project

STUDIO_PORT=3000
# replace if you intend to use Studio outside of localhost
SUPABASE_PUBLIC_URL=http://localhost:8000

# Enable webp support
IMGPROXY_ENABLE_WEBP_DETECTION=true

# Add your OpenAI API key to enable SQL Editor Assistant
OPENAI_API_KEY=

# ============================================
# Cloudflare Tunnel Configuration (Optional)
# ============================================
CLOUDFLARE_TUNNEL_TOKEN=

# ============================================
# Gost Proxy Configuration (Optional)
# ============================================
# Routes AI service traffic through an external proxy for geo-bypass.
# Use this to access OpenAI/Anthropic/Google APIs from restricted regions.

# Credentials (auto-generated)
GOST_USERNAME=gost
GOST_PASSWORD=

# Proxy URL for AI services (auto-generated: http://user:pass@gost:8080)
GOST_PROXY_URL=

# External upstream proxy (REQUIRED - asked during wizard if gost is selected)
# Examples: socks5://user:pass@proxy.com:1080, http://user:pass@proxy.com:8080
GOST_UPSTREAM_PROXY=

# Internal services bypass list (prevents internal Docker traffic from going through proxy)
# Includes: Docker internal networks (172.16-31.*, 10.*), Docker DNS (127.0.0.11), and all service hostnames
GOST_NO_PROXY=localhost,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.local,postgres,postgres:5432,redis,redis:6379,caddy,ollama,neo4j,qdrant,weaviate,clickhouse,minio,searxng,crawl4ai,gotenberg,langfuse-web,langfuse-worker,flowise,n8n,n8n-import,n8n-worker-1,n8n-worker-2,n8n-worker-3,n8n-worker-4,n8n-worker-5,n8n-worker-6,n8n-worker-7,n8n-worker-8,n8n-worker-9,n8n-worker-10,n8n-runner-1,n8n-runner-2,n8n-runner-3,n8n-runner-4,n8n-runner-5,n8n-runner-6,n8n-runner-7,n8n-runner-8,n8n-runner-9,n8n-runner-10,letta,lightrag,docling,postiz,temporal,temporal-ui,ragflow,ragflow-mysql,ragflow-minio,ragflow-redis,ragflow-elasticsearch,ragapp,open-webui,comfyui,waha,libretranslate,paddleocr,nocodb,db,studio,kong,auth,rest,realtime,storage,imgproxy,meta,functions,analytics,vector,supavisor,gost

############
# Functions - Configuration for Functions
############
# NOTE: VERIFY_JWT applies to all functions. Per-function VERIFY_JWT is not supported yet.
FUNCTIONS_VERIFY_JWT=false


############
# Logs - Configuration for Analytics
# Please refer to https://supabase.com/docs/reference/self-hosting-analytics/introduction
############

# Change vector.toml sinks to reflect this change
# these cannot be the same value
LOGFLARE_PUBLIC_ACCESS_TOKEN="not-in-use"
LOGFLARE_PRIVATE_ACCESS_TOKEN="not-in-use"

# Docker socket location - this value will differ depending on your OS
DOCKER_SOCKET_LOCATION=/var/run/docker.sock

# Google Cloud Project details
GOOGLE_PROJECT_ID=GOOGLE_PROJECT_ID
GOOGLE_PROJECT_NUMBER=GOOGLE_PROJECT_NUMBER

# Letta
LETTA_SERVER_PASSWORD=

# Langsmith
LANGCHAIN_ENDPOINT=https://api.smith.langchain.com
LANGCHAIN_TRACING_V2=true
LANGCHAIN_API_KEY=

# Dify application settings
# Based on: https://docs.dify.ai/en/getting-started/install-self-hosted/environments
############
DIFY_SECRET_KEY=
DIFY_EXPOSE_NGINX_PORT=8080
DIFY_EXPOSE_NGINX_SSL_PORT=9443

###########################################################################################
COMPOSE_PROFILES="n8n,portainer,monitoring,databasus"
PROMETHEUS_PASSWORD_HASH=
SEARXNG_PASSWORD_HASH=
COMFYUI_PASSWORD_HASH=
RAGAPP_PASSWORD_HASH=

############
# Postiz configuration
# Reference: https://docs.postiz.com/configuration/reference
# To protect Postiz via Caddy basic auth (optional), set these:
############

POSTIZ_DISABLE_REGISTRATION=false

############
# Temporal UI credentials (for Caddy basic auth)
############
TEMPORAL_UI_USERNAME=
TEMPORAL_UI_PASSWORD=
TEMPORAL_UI_PASSWORD_HASH=

############
# Postiz Social Media Integrations
# Leave blank if not used. Provide credentials from each platform.
############

X_API_KEY=
X_API_SECRET=

LINKEDIN_CLIENT_ID=
LINKEDIN_CLIENT_SECRET=

REDDIT_CLIENT_ID=
REDDIT_CLIENT_SECRET=

GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=

BEEHIIVE_API_KEY=
BEEHIIVE_PUBLICATION_ID=

THREADS_APP_ID=
THREADS_APP_SECRET=

FACEBOOK_APP_ID=
FACEBOOK_APP_SECRET=

YOUTUBE_CLIENT_ID=
YOUTUBE_CLIENT_SECRET=

TIKTOK_CLIENT_ID=
TIKTOK_CLIENT_SECRET=

PINTEREST_CLIENT_ID=
PINTEREST_CLIENT_SECRET=

DRIBBBLE_CLIENT_ID=
DRIBBBLE_CLIENT_SECRET=

DISCORD_CLIENT_ID=
DISCORD_CLIENT_SECRET=
DISCORD_BOT_TOKEN_ID=

SLACK_ID=
SLACK_SECRET=
SLACK_SIGNING_SECRET=

MASTODON_URL=https://mastodon.social
MASTODON_CLIENT_ID=
MASTODON_CLIENT_SECRET=


############
# WAHA (WhatsApp HTTP API) configuration
# Engine: NOWEB | WEBJS | GOWS
############
WAHA_ENGINE=NOWEB
WAHA_PUBLIC_URL=https://waha.yourdomain.com

# API key (hashed). Value must look like: sha512:HEX
WAHA_API_KEY=
# Plaintext API key (generated; shown in final report). Keep private.
WAHA_API_KEY_PLAIN=

# Dashboard credentials
WAHA_DASHBOARD_USERNAME=
WAHA_DASHBOARD_PASSWORD=

# Swagger credentials
WHATSAPP_SWAGGER_USERNAME=
WHATSAPP_SWAGGER_PASSWORD=

############
# [required]
# RAGFlow internal credentials (for MySQL, MinIO, Redis, and Elasticsearch)
############
RAGFLOW_MYSQL_ROOT_PASSWORD=
RAGFLOW_MINIO_ROOT_PASSWORD=
RAGFLOW_REDIS_PASSWORD=
RAGFLOW_ELASTICSEARCH_PASSWORD=

############
# [optional]
# Docling configuration
# DOCLING_IMAGE: Choose CPU or GPU version
#   - ghcr.io/docling-project/docling-serve-cpu (4.4 GB, default)
#   - ghcr.io/docling-project/docling-serve-cu126 (10.0 GB, NVIDIA GPU with CUDA 12.6)
#   - ghcr.io/docling-project/docling-serve-cu128 (11.4 GB, NVIDIA GPU with CUDA 12.8)
# Note: Web UI is always enabled on /ui
#
# VLM Pipeline Configuration:
# DOCLING_SERVE_ENABLE_REMOTE_SERVICES: Required for VLM via external APIs (Ollama, vLLM)
# DOCLING_SERVE_LOAD_MODELS_AT_BOOT: Pre-load standard models at startup
# DOCLING_DEVICE: Device for model inference (cpu, cuda, mps)
############
DOCLING_IMAGE=ghcr.io/docling-project/docling-serve-cpu
DOCLING_SERVE_ENABLE_REMOTE_SERVICES=true
DOCLING_SERVE_LOAD_MODELS_AT_BOOT=false
DOCLING_DEVICE=cpu

##########################################################################################