NUFI Docs

Environment variables

Every variable in .env, what it does, how to generate it.

The .env file is the single source of truth for runtime config. The bootstrap script generates a working one; this page is the reference for when you need to edit by hand.

Secrets

Generate every secret. Never check .env into git.

VariableGenerate withUsed by
POSTGRES_PASSWORDopenssl rand -base64 32Postgres, Gateway, trace store
CLICKHOUSE_PASSWORDopenssl rand -base64 32ClickHouse, Langfuse
REDIS_PASSWORDopenssl rand -base64 32Redis (optional)
MONGO_INITDB_ROOT_PASSWORDopenssl rand -base64 32MongoDB, NUFI Chat
MINIO_ROOT_PASSWORDopenssl rand -base64 32MinIO, Langfuse S3 client
LITELLM_MASTER_KEYopenssl rand -hex 32gateway admin auth
LITELLM_SALT_KEYopenssl rand -hex 32Gateway key hashing
JWT_SECRETopenssl rand -hex 32Chat + Console (shared)
JWT_REFRESH_SECRETopenssl rand -hex 32Chat + Console (shared)
CREDS_KEYopenssl rand -hex 32Chat credential encryption
CREDS_IVopenssl rand -hex 16Chat credential encryption
LANGFUSE_SALTopenssl rand -base64 32Langfuse
LANGFUSE_ENCRYPTION_KEYopenssl rand -hex 32Langfuse encryption-at-rest
LANGFUSE_NEXTAUTH_SECRETopenssl rand -base64 32Langfuse session signing
LANGFUSE_PUBLIC_KEYopenssl rand -base64 24Gateway → trace store ingestion
LANGFUSE_SECRET_KEYopenssl rand -base64 32Gateway → trace store ingestion
LLM_GUARD_AUTH_TOKENopenssl rand -base64 32Gateway → safety filter auth

Public URLs

Set to match how users reach you.

VariableExample
DOMAIN_CLIENThttps://chat.nufi.me
DOMAIN_SERVERhttps://chat.nufi.me
LIBRECHAT_URLhttps://chat.nufi.me
CONSOLE_URLhttps://console.nufi.me
LANGFUSE_NEXTAUTH_URLhttps://langfuse.nufi.me
LANGFUSE_HOSThttps://langfuse.nufi.me
LANGFUSE_INIT_USER_EMAILFirst admin email
LANGFUSE_INIT_USER_PASSWORDFirst admin password

Cross-subdomain SSO

If chat and console live on different subdomains of the same parent domain:

COOKIE_DOMAIN=.nufi.me
COOKIE_SAMESITE=lax       # must be 'lax' when COOKIE_DOMAIN is set

Leave both blank for a same-origin or single-subdomain setup.

LLM backend

For each backend that has a ${VAR} reference in litellm/config.yaml, set it here:

# Used by add-model.sh when registering local backends
GPU_BACKEND_BASE_URL=http://host.docker.internal:11434/v1
GPU_BACKEND_API_KEY=ollama
NPU_BACKEND_BASE_URL=
NPU_BACKEND_API_KEY=

# Cloud providers — set per provider you use
OPENAI_API_KEY=sk-…
ANTHROPIC_API_KEY=sk-…
TOGETHER_API_KEY=
GROQ_API_KEY=
GEMINI_API_KEY=

The gateway exposes every variable from .env, so any config.yaml ${VAR} reference works without editing compose.

Console defaults

JIT-provision defaults for new users:

VariableDefaultPurpose
DEFAULT_USER_BUDGET10USD / period
DEFAULT_BUDGET_DURATION30dRefresh interval
DEFAULT_TPM_LIMIT10000Tokens per minute
DEFAULT_RPM_LIMIT60Requests per minute
KEY_DEFAULT_DURATION90dTTL of issued keys

E2E smoke test

Required by ./scripts/e2e-smoke-test.sh:

E2E_USER_EMAIL=e2e@nufi.local
E2E_USER_PASSWORD=<random>
E2E_USER_NAME=E2E Bot
E2E_MODEL=qwen2.5-3b
E2E_EXPECTED_HARDWARE_ID=mac-local
E2E_ENDPOINT_NAME=NPUOps

When ALLOW_REGISTRATION=false, the e2e user must be pre-created — the test only auto-registers when registration is open.

Chat feature toggles

VariableDefaultPurpose
APP_TITLENufi ChatBrand title in the UI
ALLOW_REGISTRATIONtrueSelf-sign-up on / off
ALLOW_EMAIL_LOGINtrueEmail + password login on / off
CUSTOM_FOOTER(empty)Footer text in the chat
HELP_AND_FAQ_URL(empty)"Help" link in the chat
PRIVACY_POLICY_URL(empty)Privacy link
TERMS_OF_SERVICE_URL(empty)Terms link

Grafana

GRAFANA_ADMIN_USER=admin
GRAFANA_ADMIN_PASSWORD=<random>

Image tags (pin in prod)

VariableExample value
NUFI_CONSOLE_TAGnufi-console-v0.2.0
IMAGE_TAG (nufi-chat)nufi-v0.0.5

The compose file uses ${NUFI_CONSOLE_TAG:-main} as the default. In production, pin a specific tag and bump it intentionally.

See Reference → env vars for the same table as a quick lookup.

Docker Compose

The compose stack — services, volumes, networks, profiles.

GHCR images

Authenticating to the GitHub Container Registry, pinning tags, troubleshooting pulls.

On this page

SecretsPublic URLsCross-subdomain SSOLLM backendConsole defaultsE2E smoke testChat feature togglesGrafanaImage tags (pin in prod)